From 9b39e2626099e11fa3679596d10b00a513974574 Mon Sep 17 00:00:00 2001
From: secDre4mer <61268450+secDre4mer@users.noreply.github.com>
Date: Tue, 3 Sep 2024 22:20:20 +0200
Subject: [PATCH] Merge PR #4995 from @secDre4mer - Add `Process Deletion of
 Its Own Executable`

new: Process Deletion of Its Own Executable

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../file_delete_win_delete_own_image.yml      | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/file/file_delete/file_delete_win_delete_own_image.yml

diff --git a/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml b/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml
new file mode 100644
index 000000000..96cc47396
--- /dev/null
+++ b/rules/windows/file/file_delete/file_delete_win_delete_own_image.yml
@@ -0,0 +1,21 @@
+title: Process Deletion of Its Own Executable
+id: f01d1f70-cd41-42ec-9c0b-26dd9c22bf29
+status: experimental
+description: |
+    Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
+references:
+    - https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion
+author: Max Altgelt (Nextron Systems)
+date: 2024-09-03
+tags:
+    - attack.defense-evasion
+logsource:
+    product: windows
+    category: file_delete
+detection:
+    selection:
+        TargetFilename|fieldref: Image
+    condition: selection
+falsepositives:
+    - Some false positives are to be expected from uninstallers.
+level: medium