From e851c561b90237029510110d77819d24017aa338 Mon Sep 17 00:00:00 2001
From: Daniel Stepanic <57736958+dstepanic@users.noreply.github.com>
Date: Fri, 26 Apr 2024 13:23:18 -0500
Subject: [PATCH] Update self-delete-using-alternate-data-streams.yml

---
 ...lf-delete-using-alternate-data-streams.yml | 29 +++++++++++++------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
index 546f1995..bb11184c 100644
--- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
+++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
@@ -19,16 +19,27 @@ rule:
   features:
     - and:
       - count(api(kernel32.SetFileInformationByHandle)): 2
-      - basic block:
-        - and:
-          - api: kernel32.SetFileInformationByHandle
-          - optional:
+      - or:
+        - basic block:
+          - and:
+            - api: kernel32.SetFileInformationByHandle
+            - optional:
+              - number: 3 = FileRenameInfo
+        - call:
+          - and:
+            - api: SetFileInformationByHandle
             - number: 3 = FileRenameInfo
-      - basic block:
-        - and:
-          - api: kernel32.SetFileInformationByHandle
-          - number: 4 = FileDispositionInfo
-          - number: 1 = TRUE // fDelete.DeleteFile = TRUE;
+      - or:
+        - basic block:
+          - and:
+            - api: kernel32.SetFileInformationByHandle
+            - number: 4 = FileDispositionInfo
+            - number: 1 = TRUE // fDelete.DeleteFile = TRUE;
+        - call:
+          - and:
+            - api: SetFileInformationByHandle
+            - number: 4 = FileDispositionInfo
+            - number: 1 = TRUE // fDelete.DeleteFile = TRUE;
       - and:
         - count(api(kernel32.CreateFile)): 2
         - number: 0x10000 = DELETE