This detection rule identifies instances where commands are used to remove the read-only attribute from files on Windows systems. Typically, threat actors employ this technique to manipulate or eliminate critical system files, which could lead to unauthorized access or compromise of system integrity. The rule is based on the tracking of process command-line parameters related to the `attrib` command, specifically looking for instances of the `-r` flag that indicates removal of the read-only attribute. It utilizes Windows Event ID 4688 to detect process creation events and captures relevant attributes such as process name, user, and host details. The data is processed through a regex to filter for the specific command flag and is summarized over one-second intervals for refined analysis.