This rule focuses on detecting when a process attempts to delete its own executable file. Such behavior is abnormal, as standard operational procedures do not typically allow a running executable to delete itself. Malware may incorporate this tactic to erase traces of its existence after execution. The capability for self-deletion usually requires specific workarounds that are not present in standard applications, making this a significant indicator of potentially malicious activity. The rule is categorized under the 'attack.defense-evasion' tag, highlighting its relevance in identifying evasion techniques employed by advanced threats. Additionally, while useful, this rule may yield false positives, particularly in scenarios involving application uninstallers that inherently delete their executable files as part of the uninstallation process.