Detectionmediumtest

Process Deletion of Its Own Executable

Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Max Altgelt (Nextron Systems)Created Tue Sep 03f01d1f70-cd41-42ec-9c0b-26dd9c22bf29windows

Log Source

WindowsFile Delete

ProductWindows← raw: windows

CategoryFile Delete← raw: file_delete

Detection Logic

detection:
    selection:
        TargetFilename|fieldref: Image
    condition: selection

False Positives

Some false positives are to be expected from uninstallers.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Rule Metadata

Rule ID

f01d1f70-cd41-42ec-9c0b-26dd9c22bf29

Status

test

Level

medium

Type

Detection

Created

Tue Sep 03

Author

Max Altgelt (Nextron Systems)

Path

rules/windows/file/file_delete/file_delete_win_delete_own_image.yml

Raw Tags

attack.defense-evasion

View on GitHub