Threat Huntlowtest

Set Files as System Files Using Attrib.EXE

Detects the execution of "attrib" with the "+s" flag to mark files as system files

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Fri Feb 04Updated Tue Mar 14bb19e94c-59ae-4c15-8c12-c563d23fe52bwindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\attrib.exe'
        - OriginalFileName: 'ATTRIB.EXE'
    selection_cli:
        CommandLine|contains: ' +s '
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

unit42.paloaltonetworks.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1564.001 · Hidden Files and Directories

Other

detection.threat-hunting

Related Rules

SimilarDetectionhigh

Set Suspicious Files as System Files Using Attrib.EXE

Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

bb19e94c-59ae-4c15-8c12-c563d23fe52b

Status

test

Level

low

Type

Threat Hunt

Created

Fri Feb 04

Modified

Tue Mar 14

Author

François Hubaut

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml

Raw Tags

attack.defense-evasionattack.t1564.001detection.threat-hunting

View on GitHub