1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", 6 "from": "now-9m", 7 "index": [ 8 "winlogbeat-*", 9 "logs-endpoint.events.*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Adding Hidden File Attribute via Attrib", 15 "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"attrib.exe\" and process.args : \"+h\"\n", 16 "risk_score": 21, 17 "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", 18 "severity": "low", 19 "tags": [ 20 "Elastic", 21 "Host", 22 "Windows", 23 "Threat Detection", 24 "Defense Evasion" 25 ], 26 "threat": [ 27 { 28 "framework": "MITRE ATT&CK", 29 "tactic": { 30 "id": "TA0005", 31 "name": "Defense Evasion", 32 "reference": "https://attack.mitre.org/tactics/TA0005/" 33 }, 34 "technique": [ 35 { 36 "id": "T1564", 37 "name": "Hide Artifacts", 38 "reference": "https://attack.mitre.org/techniques/T1564/", 39 "subtechnique": [ 40 { 41 "id": "T1564.001", 42 "name": "Hidden Files and Directories", 43 "reference": "https://attack.mitre.org/techniques/T1564/001/" 44 } 45 ] 46 } 47 ] 48 }, 49 { 50 "framework": "MITRE ATT&CK", 51 "tactic": { 52 "id": "TA0003", 53 "name": "Persistence", 54 "reference": "https://attack.mitre.org/tactics/TA0003/" 55 }, 56 "technique": [] 57 } 58 ], 59 "timestamp_override": "event.ingested", 60 "type": "eql", 61 "version": 9 62} 63