(CAPA) Detect File Melt
rule:
meta:
name: self delete
namespace: anti-analysis/anti-forensic/self-deletion
authors:
- michael.hunhoff@mandiant.com
scope: function
att&ck:
- Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]
mbc:
- Defense Evasion::Self Deletion::COMSPEC Environment Variable [F0007.001]
examples:
- Practical Malware Analysis Lab 14-02.exe_:0x401880
features:
- and:
- or:
- match: get COMSPEC environment variable
- string: "cmd.exe"
- match: host-interaction/process/create
- string: /\/c\s*del\s*/
description: "/c del"
- optional:
- string: /\s*>\s*nul\s*/i
description: "> nul"
Associated Techniques
Created
June 28, 2022
Last Revised
November 13, 2024