Detection rules › Sigma
Set Suspicious Files as System Files Using Attrib.EXE
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1564.001 Hide Artifacts: Hidden Files and Directories |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\attrib.exe'
OriginalFileName: ATTRIB.EXE
Stage 2: all of selection_cli
CommandLine|contains: ' +s'
Stage 3: all of selection_paths
or:
CommandLine|contains: ' %'
CommandLine|contains: '\AppData\Local\'
CommandLine|contains: '\Downloads\'
CommandLine|contains: '\ProgramData\'
CommandLine|contains: '\Users\Public\'
CommandLine|contains: '\Windows\Temp\'
Stage 4: all of selection_ext
or:
CommandLine|contains: .bat
CommandLine|contains: .dll
CommandLine|contains: .exe
CommandLine|contains: .hta
CommandLine|contains: .ps1
CommandLine|contains: .vbe
CommandLine|contains: .vbs
Stage 5: not 1 of filter_optional_installer
CommandLine|contains: .exe
CommandLine|contains: '\Windows\TEMP\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|