Skip to content

Hide Navigation Hide TOC

Set Suspicious Files as System Files Using Attrib.EXE (efec536f-72e8-4656-8960-5e85d091345b)

Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs

Cluster A Galaxy A Cluster B Galaxy B Level
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern Set Suspicious Files as System Files Using Attrib.EXE (efec536f-72e8-4656-8960-5e85d091345b) Sigma-Rules 1
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2