igfxcuiservice.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxcuiservice.exe is the parent of the cmd.exe)

t1564
t1564.001
windows
sigma

Techniques

t1564
t1564.001

Sample rules

Hiding Files with Attrib.exe

source: sigma
technicques:
- t1564
- t1564.001

Description

Detects usage of attrib.exe to hide files from users.

Detection logic

condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_msiexec:
  CommandLine|contains: '\desktop.ini '
filter_optional_intel:
  CommandLine: +R +H +S +A \\\*.cui
  ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat
  ParentImage|endswith: \cmd.exe
selection_cli:
  CommandLine|contains: ' +h '
selection_img:
- Image|endswith: \attrib.exe
- OriginalFileName: ATTRIB.EXE