Skip to content
Threat Feed
low advisory

Adding Hidden File Attribute via Attrib.exe

Adversaries can use attrib.exe to add the 'hidden' attribute to files and directories to evade detection and persist on a system by hiding artifacts.

Attackers can abuse the attrib.exe utility to modify file attributes, specifically adding the 'hidden' attribute to files and folders. This technique allows attackers to conceal their tools and malware, making them harder to detect by system administrators and users. By hiding files, attackers aim to evade detection and maintain persistence on compromised systems. The rule focuses on detecting the execution of attrib.exe with command-line arguments that indicate the modification of the hidden attribute. This behavior is associated with defense evasion and persistence tactics. The original Elastic detection rule was created in 2020 and updated in April 2026, demonstrating continued relevance.

Attack Chain

  1. An attacker gains initial access to a Windows system (e.g., via exploitation of a vulnerability).
  2. The attacker drops a malicious payload (e.g., a backdoor or keylogger) onto the file system.
  3. The attacker executes attrib.exe with the +h parameter to set the hidden attribute on the dropped payload, making it invisible in standard directory listings.
  4. The attacker might use additional parameters such as +s (system), +r (read-only), or +a (archive) to further obfuscate the file.
  5. The attacker establishes persistence by creating a scheduled task or registry key that points to the hidden malicious file.
  6. The attacker uses the hidden file to maintain unauthorized access to the system.
  7. The attacker performs lateral movement or data exfiltration while remaining undetected due to the hidden nature of the malicious files.

Impact

Successful exploitation of this technique can allow attackers to maintain a persistent presence on a compromised system without being easily detected. This can lead to prolonged data theft, system disruption, or further compromise of the network. The low severity assigned to this behavior reflects that hiding files is often an early-stage or supporting action within a broader attack campaign, and successful exploitation depends on other factors.

Recommendation

  • Deploy the Sigma rule "Detect Adding Hidden File Attribute via Attrib.exe" to your SIEM to detect the use of attrib.exe to hide files (see rules section).
  • Monitor process creation events for instances of attrib.exe being executed with the +h argument via process creation logs (e.g., Sysmon event ID 1).
  • Investigate any alerts generated by the Sigma rule by examining the parent process and command line arguments to determine if the activity is legitimate.
  • Review scheduled tasks and registry run keys for suspicious entries pointing to hidden files, complementing the "Detect Adding Hidden File Attribute via Attrib.exe" rule.
  • Enable process command line logging to ensure the full command executed by attrib.exe is captured, allowing for accurate detection.

Detection coverage 2

Detect Adding Hidden File Attribute via Attrib.exe

medium

Detects the execution of attrib.exe to add the 'hidden' attribute to files or directories.

sigma tactics: defense_evasion, persistence techniques: T1222.001, T1564.001 sources: process_creation, windows

Detect Adding Hidden File Attribute via Attrib.exe - Original File Name

medium

Detects the execution of attrib.exe (identified by original file name) to add the 'hidden' attribute to files or directories.

sigma tactics: defense_evasion, persistence techniques: T1222.001, T1564.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →