Hiding Files with Attrib.exe

 1title: Hiding Files with Attrib.exe
 2id: 4281cb20-2994-4580-aa63-c8b86d019934
 3status: test
 4description: Detects usage of attrib.exe to hide files from users.
 5references:
 6    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
 7    - https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
 8author: Sami Ruohonen
 9date: 2019-01-16
10modified: 2023-03-14
11tags:
12    - attack.defense-evasion
13    - attack.t1564.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\attrib.exe'
20        - OriginalFileName: 'ATTRIB.EXE'
21    selection_cli:
22        CommandLine|contains: ' +h '
23    filter_main_msiexec:
24        CommandLine|contains: '\desktop.ini '
25    filter_optional_intel:
26        ParentImage|endswith: '\cmd.exe'
27        CommandLine: '+R +H +S +A \\\*.cui'
28        ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
29    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
30falsepositives:
31    - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
32    - Msiexec.exe hiding desktop.ini
33level: medium

References

• Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency

  

  Unit 42 discovers ComboJack, a new currency stealer that alters clipboards to steal cryptocurrency.

  
  Read More

• LOLBins Are No Laughing Matter: How Attackers Operate Quietly

  

  Recent threat research on living off the land binaries and how it affects cloud security.

  
  Read More

Related rules

• Displaying Hidden Files Feature Disabled
• Hidden Files and Directories
• PowerShell Logging Disabled Via Registry Key Tampering
• Registry Persistence via Service in Safe Mode
• Set Suspicious Files as System Files Using Attrib.EXE