From ae67a26af6854209cd00d324d3f5a5f9bdbdac88 Mon Sep 17 00:00:00 2001 From: devarjya27 Date: Wed, 18 Feb 2026 18:29:27 +0530 Subject: [PATCH 1/2] add word boundary to del regex to prevent false positives --- anti-analysis/anti-forensic/self-deletion/self-delete.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index 83b2cdbb8..7c9567f14 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -23,7 +23,7 @@ rule: - or: - string: /\/c\s*del\s*/ description: "/c del" - - string: /(^|[\&;\|]\s*)del(\s.*)?/i + - string: /(^|[\&;\|]\s*)del\b(\s.*)?/i description: "echo 1&&del /path/to/file" - optional: - string: /\s*>\s*nul\s*/i From d0291900af59dad75d6a68cad5d0452d053241ea Mon Sep 17 00:00:00 2001 From: Devarjya Date: Wed, 25 Feb 2026 00:04:33 +0530 Subject: [PATCH 2/2] add word boundaries around del in both regexes --- anti-analysis/anti-forensic/self-deletion/self-delete.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index 7c9567f14..6ae94f58e 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -21,9 +21,9 @@ rule: - string: "cmd.exe" - match: host-interaction/process/create - or: - - string: /\/c\s*del\s*/ + - string: /\/c\s*\bdel\b\s*/ description: "/c del" - - string: /(^|[\&;\|]\s*)del\b(\s.*)?/i + - string: /(^|[\&;\|]\s*)\bdel\b(\s.*)?/i description: "echo 1&&del /path/to/file" - optional: - string: /\s*>\s*nul\s*/i