LoFP LoFP / msiexec.exe hiding desktop.ini

Techniques

Sample rules

Hiding Files with Attrib.exe

Description

Detects usage of attrib.exe to hide files from users.

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_intel:
  CommandLine: +R +H +S +A \\\*.cui
  ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat
  ParentImage|endswith: \cmd.exe
filter_msiexec:
  CommandLine|contains: '\desktop.ini '
selection_cli:
  CommandLine|contains: ' +h '
selection_img:
- Image|endswith: \attrib.exe
- OriginalFileName: ATTRIB.EXE