1type: trigger
2name: sigmahq/proc_creation_win_attrib_system_susp_paths
3description: |
4  Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs 
5filter: |
6  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\attrib.exe' || evt.Parsed.OriginalFileName == 'ATTRIB.EXE') && evt.Parsed.CommandLine contains ' +s' && (evt.Parsed.CommandLine contains ' %' || evt.Parsed.CommandLine contains '\\Users\\Public\\' || evt.Parsed.CommandLine contains '\\AppData\\Local\\' || evt.Parsed.CommandLine contains '\\ProgramData\\' || evt.Parsed.CommandLine contains '\\Downloads\\' || evt.Parsed.CommandLine contains '\\Windows\\Temp\\') && (evt.Parsed.CommandLine contains '.bat' || evt.Parsed.CommandLine contains '.dll' || evt.Parsed.CommandLine contains '.exe' || evt.Parsed.CommandLine contains '.hta' || evt.Parsed.CommandLine contains '.ps1' || evt.Parsed.CommandLine contains '.vbe' || evt.Parsed.CommandLine contains '.vbs') && not (evt.Parsed.CommandLine contains '\\Windows\\TEMP\\' && evt.Parsed.CommandLine contains '.exe'))
7blackhole: 2m
8#status: test
9labels:
10  service: windows
11  confidence: 1
12  spoofable: 0
13  classification:
14   - attack.t1564.001
15
16  label: "Set Suspicious Files as System Files Using Attrib.EXE"
17  behavior : "windows:audit"
18  remediation: false
19
20scope:
21  type: ParentProcessId
22  expression: evt.Parsed.ParentProcessId
23
24