Detectionhightest
Set Suspicious Files as System Files Using Attrib.EXE
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jun 28Updated Tue Mar 14efec536f-72e8-4656-8960-5e85d091345bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +s'
selection_paths:
CommandLine|contains:
- ' %' # Custom Environment variable
- '\Users\Public\'
- '\AppData\Local\'
- '\ProgramData\'
- '\Downloads\'
- '\Windows\Temp\'
selection_ext:
CommandLine|contains:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.vbe'
- '.vbs'
filter_optional_installer:
CommandLine|contains|all:
- '\Windows\TEMP\'
- '.exe'
condition: all of selection* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
efec536f-72e8-4656-8960-5e85d091345b
Status
test
Level
high
Type
Detection
Created
Tue Jun 28
Modified
Tue Mar 14
Path
rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
Raw Tags
attack.defense-evasionattack.t1564.001