Sigma rules for attrib
14 rules · scoped to tool · back to attrib
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Set Suspicious Files as System Files Using Attrib.EXE
id: efec536f-72e8-4656-8960-5e85d091345b
related:
- id: bb19e94c-59ae-4c15-8c12-c563d23fe52b
type: derived
status: test
description: |
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
references:
- https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4
- https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +s'
selection_paths:
CommandLine|contains:
- ' %' # Custom Environment variable
- '\Users\Public\'
- '\AppData\Local\'
- '\ProgramData\'
- '\Downloads\'
- '\Windows\Temp\'
selection_ext:
CommandLine|contains:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.vbe'
- '.vbs'
filter_optional_installer:
CommandLine|contains|all:
- '\Windows\TEMP\'
- '.exe'
condition: all of selection* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Suspicious LDAP-Attributes Used
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
status: test
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec
date: 2019-03-24
modified: 2022-10-05
tags:
- attack.t1001.003
- attack.command-and-control
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection:
EventID: 5136
AttributeValue|contains: '*'
AttributeLDAPDisplayName:
- 'primaryInternationalISDNNumber'
- 'otherFacsimileTelephoneNumber'
- 'primaryTelexNumber'
condition: selection
falsepositives:
- Companies, who may use these default LDAP-Attributes for personal information
level: high
title: Suspicious Scheduled Task Creation
id: 3a734d25-df5c-4b99-8034-af1ddb5883a4
status: test
description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2022-12-07
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContent|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: selection
falsepositives:
- Unknown
level: medium
title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
- id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chattr'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: linux
service: auditd
detection:
execve:
type: 'EXECVE'
touch:
- 'touch'
selection2:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: execve and touch and selection2
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Set a file's access timestamp
technique: T1070.006
atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
- type: atomic-red-team
name: Set a file's modification timestamp
technique: T1070.006
atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
- type: atomic-red-team
name: Modify file timestamps using reference file
technique: T1070.006
atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
title: Remove Immutable File Attribute - Auditd
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: test
description: Detects removing immutable file attribute.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
simulation:
- type: atomic-red-team
name: Remove immutable file attribute
technique: T1222.002
atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f
title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: test
description: |
Adversaries may modify file time attributes to hide new or changes to existing files.
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
author: frack113
date: 2021-08-03
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
ScriptBlockText|contains:
- '.CreationTime ='
- '.LastWriteTime ='
- '.LastAccessTime ='
- '[IO.File]::SetCreationTime'
- '[IO.File]::SetLastAccessTime'
- '[IO.File]::SetLastWriteTime'
condition: selection_ioc
falsepositives:
- Legitimate admin script
level: medium
title: Group Membership Reconnaissance Via Whoami.EXE
id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f
status: test
description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /groups'
- ' -groups'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium
title: Hiding Files with Attrib.exe
id: 4281cb20-2994-4580-aa63-c8b86d019934
status: test
description: Detects usage of attrib.exe to hide files from users.
references:
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
- https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
author: Sami Ruohonen
date: 2019-01-16
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +h '
filter_main_msiexec:
CommandLine|contains: '\desktop.ini '
filter_optional_intel:
ParentImage|endswith: '\cmd.exe'
CommandLine: '+R +H +S +A \\\*.cui'
ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
- Msiexec.exe hiding desktop.ini
level: medium
title: Addition of SID History to Active Directory Object
id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
references:
- https://adsecurity.org/?p=1772
author: Thomas Patzke, @atc_project (improvements)
date: 2017-02-19
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1134.005
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- '-'
- '%%1793'
filter_null:
SidHistory:
condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
- Migration of an account into a new domain
level: medium
title: Group Policy Abuse for Privilege Addition
id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
status: test
description: |
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
author: Elastic, Josh Nickels, Marius Rothenbücher
references:
- https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
date: 2024-09-04
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.001
logsource:
product: windows
service: security
definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events.'
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: 'gPCMachineExtensionNames'
AttributeValue|contains:
- '827D319E-6EAC-11D2-A4EA-00C04F79F83A'
- '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'
condition: selection
falsepositives:
- Users allowed to perform these modifications (user found in field SubjectUserName)
level: medium
title: DMSA Link Attributes Modified
id: 9b111d8e-92e0-4153-88bc-daefc1333aba
related:
- id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute
type: similar
status: experimental
description: |
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|contains|all:
- '.Put("msDS-ManagedAccountPrecededByLink'
- 'CN='
condition: selection
falsepositives:
- Legitimate administrative tasks modifying these attributes.
level: low