mimikatz.exe_: self delete

[mike-hunhoff]

Function: 0x45B8DB

What it does: The function calls GetProcAddress for DeleteProcThreadAttributeList and CreateProcess.

Why it matched: capa matched the regex del on the API string DeleteProcThread.... The function creates a process with a specified parent (PID Spoofing), it does not delete itself.

[devarjya27]

Hi @mike-hunhoff, I've opened a PR improving the rule. The root cause was the regex /(^|[\&;\|]\s*)del(\s.*)?/i matching del as a prefix in DeleteProcThreadAttributeList as you mentioned. The fix adds a word boundary \b after del. Please have a look.

The updated rule doesn't trigger self-deletion for mimikatz.exe_

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Capability                                               ┃ Namespace                                    ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ clear Windows event logs                                 │ anti-analysis/anti-forensic/clear-logs       │
│ contain obfuscated stackstrings (5 matches)              │ anti-analysis/obfuscation/string/stackstring │
│ acquire credentials from Windows Credential Manager      │ collection                                   │