rule:
  meta:
    name: self delete
    namespace: anti-analysis/anti-forensic/self-deletion
    authors:
      - michael.hunhoff@mandiant.com
    scope: function
    att&ck:
      - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]
    mbc:
      - Defense Evasion::Self Deletion::COMSPEC Environment Variable [F0007.001]
    examples:
      - Practical Malware Analysis Lab 14-02.exe_:0x401880
  features:
    - and:
      - or:
        - match: get COMSPEC environment variable
        - string: "cmd.exe"
      - match: host-interaction/process/create
      - string: /\/c\s*del\s*/
        description: "/c del"
      - optional:
        - string: /\s*>\s*nul\s*/i
          description: "> nul"