Hiding Files or Folders in Uncommon Location Using Attrib.exe

Rule Info

Name
Hiding Files or Folders in Uncommon Location Using Attrib.exe
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the suspicious usage of attrib.exe to hide files or folders in suspicious or uncommon location. Adversaries often drop their malicious files on suspicious locations like public folders, temporary directories, etc. To avoid being visible to the user, they may use attrib.exe to hide the files.
Reference
https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
Date
2025-03-04 00:00:00
Modified
None
Id
2b60cd51-aae4-460e-a15c-e3e88d843d9e
Tags
attack.defense-evasion attack.t1564.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022