New

The executive guide to generative AI

Read more

Adding Hidden File Attribute via Attrib

edit

Adversaries can add the hidden attribute to files to hide them from the user in an attempt to evade detection.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 9 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
process where event.type in ("start", "process_started") and
process.name : "attrib.exe" and process.args : "+h"

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 9 (7.13.0 release)
  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
    process.name:attrib.exe and process.args:+h
Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Formatting only
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:attrib.exe and process.args:+h
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:"attrib.exe" and process.args:"+h"
Was this helpful?
Feedback