Techniques
Sample rules
Hiding Files with Attrib.exe
- source: sigma
- technicques:
- t1564
- t1564.001
Description
Detects usage of attrib.exe to hide files from users.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_msiexec:
CommandLine|contains: '\desktop.ini '
filter_optional_intel:
CommandLine: +R +H +S +A \\\*.cui
ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat
ParentImage|endswith: \cmd.exe
selection_cli:
CommandLine|contains: ' +h '
selection_img:
- Image|endswith: \attrib.exe
- OriginalFileName: ATTRIB.EXE