Create self-delete-using-alternate-data-streams.yml

[dstepanic]

Reference: #894
Test data: mandiant/capa-testfiles#231

Adding capa rule for self-deletion technique. I tried to capture the main behaviors in the rule across two implementations. I am open for suggestions or improvements to the rule. Thanks in advance!

[mr-tz]

nice, this may be a bit detailed and specific to the example compilation. can we relax the counts and instructions or do you think those are already focused on the core?

[dstepanic]

nice, this may be a bit detailed and specific to the example compilation. can we relax the counts and instructions or do you think those are already focused on the core?

It's a good question, I would lean towards those as being part of the core. FWIW, the rule also triggers on the x86/x64 PoC compiled versions. I am happy to adjust it though, I was mainly trying to make sure it wouldn't generate FP's as well.

[mr-tz]

can you add a description detailing this offset value?

[dstepanic]

Yeh, for sure. Feel free to adjust it as well.

[mr-tz]

I think this is too specific here so would remove this instruction.

[mr-tz]

FileRenameInfo = 3 and FileDispositionInfo = 4 are already covered, so that should be fine

[mr-tz]

Gotcha, it's definitely better to avoid FPs.

[mr-tz]

What do you think of this simplification?

  features:
    - and:
      - count(api(kernel32.SetFileInformationByHandle)): 2
      - basic block:
        - and:
          - api: kernel32.SetFileInformationByHandle
          - optional:
            - number: 3 = FileRenameInfo
      - basic block:
        - and:
          - api: kernel32.SetFileInformationByHandle
          - number: 4 = FileDispositionInfo
          - number: 1 = TRUE // fDelete.DeleteFile = TRUE;
      - and:
        - count(api(kernel32.CreateFile)): 2
        - number: 0x10000 = DELETE

[dstepanic]

What do you think of this simplification?

  features:
    - and:
      - count(api(kernel32.SetFileInformationByHandle)): 2
      - basic block:
        - and:
          - api: kernel32.SetFileInformationByHandle
          - optional:
            - number: 3 = FileRenameInfo
      - basic block:
        - and:
          - api: kernel32.SetFileInformationByHandle
          - number: 4 = FileDispositionInfo
          - number: 1 = TRUE // fDelete.DeleteFile = TRUE;
      - and:
        - count(api(kernel32.CreateFile)): 2
        - number: 0x10000 = DELETE

Yeh, that's much better and cleaner. Thanks for the recommendation, I will adjust and send it back. Thanks!

[mr-tz]

last thing while we're at it, let's add an or block each and add a call subscope so this works in the dynamic flavor
so, e.g.:

      - or:
        - basic block:
          - and:
            - api: kernel32.SetFileInformationByHandle
            - optional:
              - number: 3 = FileRenameInfo
        - call:
          - and:
            - api: SetFileInformationByHandle
            - number: 3 = FileRenameInfo

[dstepanic]

Ok, thanks. I tried to implement this, let me know if I missed something.

[mr-tz]

fantastic, thank you very much!

[williballenthin]

thanks @dstepanic!