feat: check for processes deleting themselves #4995
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
Add a rule to detect Windows binaries deleting themselves.
Changelog
new: Process Deletion of Its Own Executable
Example Log Event
AURORA: Notice MODULE: Sigma MESSAGE: Sigma match found RULE_TITLE: Process Deleted i ts Own Executable RULE_AUTHOR: Max Altgelt RULE_DESCRIPTION: Detects deletion of a process's own executable by itself. This is usually not possible without workarounds and may be used by malware to hide its own traces. RULE_FALSEPOSITIVES: RULE_ID: f01d1f70-cd41-42ec-9c0b-26dd9c22bf29 RULE_LEVEL: medium RULE_MODIFIED: 2024-09-03 RULE_PATH: correlation.yml RULE_REFERENCES: https://github.com/joaoviictorti/RustRedOps/tree/main/Self_Deletion RULE_SIGTYPE: custom COMMANDLINE: "\"C:\\Users\\Max\\Downloads\\deleteself2.exe\"" COMPUTER: DESKTOP-EEM5B52 CORRELATION_ACTIVITYID: {00000000-0000-0000-0000-000000000000} EVENTID: 26 EXECUTION_THREADID: 448 EXTRAINFORMATION: 0x0 FILEKEY: 0xFFFFAF0EA6DDF280 FILEOBJECT: 0xFFFFBF8A8CD059A0 FILEPATH: \Device\HarddiskVolume2\Users\Max\Downloads\deleteself2.exe IMAGE: C:\Users\Max\Downloads\deleteself2.exe INFOCLASS: 64 IRP: 0xFFFFBF8A87DF1AF8 ISSUINGTHREADID: 448 KEYWORDS: 0x8000000000000400 LEVEL: 4 MATCH_STRINGS: C:\Users\Max\Downloads\deleteself2.exe in TargetFilename OPCODE: 0 PARENTCOMMANDLINE: c:\windows\system32\windowspowershell\v1.0\powershell.exe PARENTIMAGE: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PROCESSID: 7424 PROVIDER_GUID: {EDD08927-9CC4-4E65-B970-C2560FB5C289} PROVIDER_NAME: Microsoft-Windows-Kernel-File SECURITY_USERID: S-1-5-21-1104056715-1399659138-4213224034-1001 TARGETFILENAME: C:\Users\Max\Downloads\deleteself2.exe TASK: 26 TIMECREATED_SYSTEMTIME: 2024-09-03T13:08:51.4639719+02:00 USER: DESKTOP-EEM5B52\Max VERSION: 1 WINVERSION: 19045
Fixed Issues
SigmaHQ Rule Creation Conventions