From 392351af25bcfaaf05e4617aa8808cc299cc61b8 Mon Sep 17 00:00:00 2001
From: Lurkkeli <sami.ruohonen16@gmail.com>
Date: Wed, 8 Aug 2018 16:43:54 +0200
Subject: [PATCH] Adding ATT&CK tag

---
 rules/windows/sysmon/sysmon_attrib_hiding_files.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml
index 3ebed3fe..64265e85 100644
--- a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml
+++ b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml
@@ -17,6 +17,10 @@ fields:
     - CommandLine
     - ParentCommandLine
     - User
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1158
 falsepositives:
     - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
     - msiexec.exe hiding desktop.ini