Process Deletion of Its Own Executable

Rule Info

Name
Process Deletion of Its Own Executable
Author
Max Altgelt (Nextron Systems)
Description
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
Reference
https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion
Date
2024-09-03 00:00:00
Modified
None
Id
f01d1f70-cd41-42ec-9c0b-26dd9c22bf29
Tags
attack.defense-evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f01d1f70-cd41-42ec-9c0b-26dd9c22bf29

Rule History

Author
Title
Date
Commit
secDre4mer
Merge PR #4995 from @secDre4mer - Add `Process Deletion of Its Own Executable`
2024-09-03
9b39e2626
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022