title: Hiding Files with Attrib.exe
author: Sami Ruohonen
date: 2019/01/16
description: Detects usage of attrib.exe to hide files from users.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\attrib.exe'
  SELECTION_3:
    CommandLine: '* +h *'
  SELECTION_4:
    EventID: 1
  SELECTION_5:
    CommandLine: '*\desktop.ini *'
  SELECTION_6:
    ParentImage: '*\cmd.exe'
  SELECTION_7:
    CommandLine: +R +H +S +A \\*.cui
  SELECTION_8:
    ParentCommandLine: C:\WINDOWS\system32\\*.bat
  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not ((SELECTION_4
    and (SELECTION_5 or (SELECTION_6 and SELECTION_7 and SELECTION_8)))))
falsepositives:
- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe
  and igfxCUIService.exe is the parent of the cmd.exe)
- msiexec.exe hiding desktop.ini
fields:
- CommandLine
- ParentCommandLine
- User
id: 4281cb20-2994-4580-aa63-c8b86d019934
level: low
logsource:
  category: process_creation
  product: windows
modified: 2020/08/27
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.001
- attack.t1158
ruletype: SIGMA