curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): file hiding using attrib.exe

This commit is contained in:
Ming Di Leom 2025-04-06 12:04:48 +00:00
parent 751e9e7c66
commit 978e8c6ae6
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
source/threat-hunting/index.md
View File

@ -676,6 +676,16 @@ SPL:
| makemv delim="^" RDPs | makemv delim="^" RDPs
``` ```
## File hiding using attrib.exe observed
Description: attrib.exe can be used to hide files from Explorer.
References: [1](https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#defense-evasion), [2](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/attrib)
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="attrib.exe" Processes.process IN ("*+h", "*+s*", "*+r*") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
```
## Gootloader IOC ## Gootloader IOC
References: [1](https://redcanary.com/blog/gootloader/) References: [1](https://redcanary.com/blog/gootloader/)