HUNTS- Hidden Files and Directories (T1158)
HUNTS- Hidden Files and Directories (T1158)
Version 1.0
ATT&CK Technique: Hidden Files and Directories (T1158)
What this playbook hunts for:
-
Execution of attrib.exe to hide files via the command line. Attrib.exe can be used to change file attributes to make files hidden. An attacker may hide files to avoid superficial detection attempts.
How the playbook works:
-
Generates SIEM query for Sysmon Event ID 1 logs where attrib.exe is executed with the “+h” argument.
What results are expected:
-
Name, process ID, and path of the attrib.exe process
-
Command line arguments for attrib.exe
-
Attrib.exe execution time
-
Hostname of the computer where attrib.exe was executed
-
User account that was used to execute the attrib.exe process
Common follow-on actions:
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 1: Process creation
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled
False Positive Potential: Low
-
Execution of attrib.exe with the “+h” argument from the commandline is uncommon. In most cases, files are hidden manually using the GUI though explorer.exe.