From 978e8c6ae6eb47150d10bb9d04cc609c967428aa Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 6 Apr 2025 12:04:48 +0000
Subject: [PATCH] page(threat-hunting): file hiding using attrib.exe

---
 source/threat-hunting/index.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 96c1361..46bf131 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -676,6 +676,16 @@ SPL:
 | makemv delim="^" RDPs
 ```
 
+## File hiding using attrib.exe observed
+
+Description: attrib.exe can be used to hide files from Explorer.
+References: [1](https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#defense-evasion), [2](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/attrib)
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="attrib.exe" Processes.process IN ("*+h", "*+s*", "*+r*") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```
+
 ## Gootloader IOC
 
 References: [1](https://redcanary.com/blog/gootloader/)