host-interaction/file-system/delete
rule:
meta:
name: delete file
namespace: host-interaction/file-system/delete
authors:
- moritz.raabe@mandiant.com
- michael.hunhoff@mandiant.com
scopes:
static: function
dynamic: thread
mbc:
- File System::Delete File [C0047]
examples:
- 946A99F36A46D335DEC080D9A4371940:0x100015F0
# MoveFileEx
- 31600AD0D1A7EA615690DF111AE36C73:0x401A15
# NtDeleteFile
- 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001E04
features:
- or:
- api: kernel32.DeleteFile
- api: DeleteFileTransacted
- api: NtDeleteFile
- api: ZwDeleteFile
- api: remove
- api: _wremove
- api: System.IO.File::Delete
- api: System.IO.FileSystemInfo::Delete
# static
- basic block:
- and:
- number: 3 = FO_DELETE
- or:
- api: kernel32.SHFileOperation
- basic block:
- and:
- number: 4 = MOVEFILE_DELAY_UNTIL_REBOOT
- number: 0 = NULL
- api: MoveFileEx
# dynamic
- call:
- and:
- number: 3 = FO_DELETE
- or:
- api: kernel32.SHFileOperation
- call:
- and:
- number: 4 = MOVEFILE_DELAY_UNTIL_REBOOT
- number: 0 = NULL
- api: MoveFileEx
last edited: 2023-11-24 10:35:03