Set Suspicious Files as System Files Using Attrib.EXE

 1title: Set Suspicious Files as System Files Using Attrib.EXE
 2id: efec536f-72e8-4656-8960-5e85d091345b
 3related:
 4    - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b
 5      type: derived
 6status: test
 7description: |
 8        Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
 9references:
10    - https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4
11    - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
12    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-06-28
15modified: 2023-03-14
16tags:
17    - attack.defense-evasion
18    - attack.t1564.001
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\attrib.exe'
25        - OriginalFileName: 'ATTRIB.EXE'
26    selection_cli:
27        CommandLine|contains: ' +s'
28    selection_paths:
29        CommandLine|contains:
30            - ' %' # Custom Environment variable
31            - '\Users\Public\'
32            - '\AppData\Local\'
33            - '\ProgramData\'
34            - '\Downloads\'
35            - '\Windows\Temp\'
36    selection_ext:
37        CommandLine|contains:
38            - '.bat'
39            - '.dll'
40            - '.exe'
41            - '.hta'
42            - '.ps1'
43            - '.vbe'
44            - '.vbs'
45    filter_optional_installer:
46        CommandLine|contains|all:
47            - '\Windows\TEMP\'
48            - '.exe'
49    condition: all of selection* and not 1 of filter_optional_*
50falsepositives:
51    - Unknown
52level: high

References

• Analysis Instagram 0Day.exe (MD5: 3069E25B962D29775B240FA48FDD2549) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• Analysis https://mega.nz/file/QUoGgbQZ#mtMLCy-ecn3aZBQmoRG9JvqBMxApqj140fnplm-HijA Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency

  

  Unit 42 discovers ComboJack, a new currency stealer that alters clipboards to steal cryptocurrency.

  
  Read More

Related rules

• Displaying Hidden Files Feature Disabled
• Hidden Files and Directories
• Hiding Files with Attrib.exe
• PowerShell Logging Disabled Via Registry Key Tampering
• Registry Persistence via Service in Safe Mode