Attrib.exe Used to Hide Files and Directories

This threat brief focuses on the abuse of the native Windows utility attrib.exe to hide files and directories. Attackers use this technique to conceal malicious payloads, tools, or command-and-control infrastructure from both users and security software. By setting the hidden attribute (+h flag), attackers make it more difficult to detect their presence and maintain persistence on compromised systems. This activity is typically observed post-exploitation and can be indicative of more advanced persistent threats. The detection specifically looks for attrib.exe command-line arguments including the “+h” flag. While legitimate uses of attrib.exe exist, the use of the ‘+h’ flag, particularly in sensitive directories, should be investigated.

Attack Chain

1. The attacker gains initial access to the system, often through phishing, exploiting a vulnerability, or compromised credentials.
2. The attacker executes arbitrary code on the compromised system.
3. The attacker uploads or creates malicious files (e.g., backdoors, scripts) on the system.
4. The attacker uses attrib.exe with the “+h” flag to hide these malicious files and directories, evading detection. Example: attrib +h C:\Windows\Temp\evil.exe
5. The attacker may also hide associated log files or other artifacts to further conceal their activities.
6. The attacker establishes persistence, ensuring continued access even after system reboots.
7. The attacker moves laterally within the network, compromising additional systems and escalating privileges.
8. The attacker achieves their objective, which may include data theft, ransomware deployment, or espionage.

Impact

Successful exploitation allows attackers to hide malicious files and directories, hindering incident response and forensic investigations. This can lead to prolonged periods of undetected malicious activity, increasing the risk of data breaches, financial loss, and reputational damage. The consequences can range from minor disruptions to significant operational impact, depending on the attacker’s objectives and the scope of the compromise.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious usage of attrib.exe with the ‘+h’ flag.
• Enable process-creation logging with command-line arguments on Windows endpoints to ensure the detection rules can be effectively applied (Sysmon Event ID 1 or Windows Event Log Security 4688).
• Investigate any alerts generated by the Sigma rules, paying close attention to the parent processes and the context in which attrib.exe is being executed.
• Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications, including attribute changes.