/
hiding_files_and_directories_with_attrib_exe.yml
70 lines (70 loc) · 2.75 KB
/
hiding_files_and_directories_with_attrib_exe.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Hiding Files And Directories With Attrib exe
id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1
version: 5
date: '2024-01-01'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: Attackers leverage an existing Windows binary, attrib.exe, to mark specific
as hidden by using specific flags so that the victim does not see the file. The
search looks for specific command-line arguments to detect the use of attrib.exe
to hide files.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process)
as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe
(Processes.process=*+h*) by Processes.parent_process_name Processes.process_name Processes.user
Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`|
`hiding_files_and_directories_with_attrib_exe_filter` '
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: 'Some applications and users may legitimately use attrib.exe
to interact with the files.'
references: []
tags:
analytic_story:
- Windows Defense Evasion Tactics
- Windows Persistence Techniques
- Azorult
asset_type: Endpoint
confidence: 80
impact: 90
message: Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.
mitre_attack_id:
- T1222
- T1222.001
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process
- Processes.process_name
- Processes.parent_process
- Processes.user
- Processes.dest
risk_score: 72
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog