Skip to content

[Rule Tuning] attrib.exe usage by draw.io #4721

New issue
New issue
Open
Open
[Rule Tuning] attrib.exe usage by draw.io#4721
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@richlv

Description

@richlv
richlv
opened on May 13, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

draw.io uses attrib.exe in a suboptimal way: jgraph/drawio-desktop#1194 .
Would it be possible to have a reasonable exception for it?

Potentially useful fields for this:

process.command_line attrib +h "<path_to_file>.$<file_name>.dtmp"
process.parent.command_line "C:\Program Files\draw.io\draw.io.exe" "<path_to_file>"
process.parent.code_signature.exists true
process.parent.code_signature.status trusted
process.parent.code_signature.subject_name JGraph Ltd
process.parent.code_signature.trusted true

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions