From 5520b2d12fd41758be6f47df6c2fa521d87746fc Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Sat, 9 Nov 2024 19:13:35 +0100
Subject: [PATCH] feat(rules): Process execution from a self-deleting binary
 rule

Identifies the execution of the process from a self-deleting binary. The attackers can abuse undocumented API functions to create a process from a file-backed section. The file is put into a delete-pending state allowing the attacker to bypass kernel callback controls by closing the handle to the file before the main thread is spawned.
---
 ...ss_execution_from_self_deleting_binary.yml | 30 +++++++++++++++++++
 rules/macros/macros.yml                       |  3 ++
 2 files changed, 33 insertions(+)
 create mode 100644 rules/defense_evasion_process_execution_from_self_deleting_binary.yml

diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml
new file mode 100644
index 000000000..d238a037f
--- /dev/null
+++ b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml
@@ -0,0 +1,30 @@
+name: Process execution from a self-deleting binary
+id: 0f0da517-b22c-4d14-9adc-36baeb621cf7
+version: 1.0.0
+description: |
+  Identifies the execution of the process from a self-deleting binary. The attackers can
+  abuse undocumented API functions to create a process from a file-backed section. The file 
+  is put into a delete-pending state allowing the attacker to bypass kernel callback controls
+  by closing the handle to the file before the main thread is spawned.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1055
+  technique.name: Process Injection
+  technique.ref: https://attack.mitre.org/techniques/T1055/
+references:
+  - https://github.com/hasherezade/process_ghosting
+  - https://www.elastic.co/es/blog/process-ghosting-a-new-executable-image-tampering-attack
+
+condition: >
+  sequence
+  maxspan 1m
+    |delete_file and file.info.is_disposition_delete_file| by file.name
+    |load_module| by image.name
+
+output: >
+  Process %2.image.name spawned from self-deleting binary
+severity: high
+
+min-engine-version: 2.3.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index b24fe2833..41bed88e9 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -25,6 +25,9 @@
 - macro: create_file
   expr: kevt.name = 'CreateFile' and file.operation != 'OPEN' and file.status = 'Success'
 
+- macro: delete_file
+  expr: kevt.name = 'DeleteFile'
+
 - macro: query_registry
   expr: kevt.name in ('RegQueryKey', 'RegQueryValue') and registry.status = 'Success'