{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attrib.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Sysmon","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","persistence","windows","attrib.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can add the \u0026lsquo;hidden\u0026rsquo; attribute to files to hide them from the user in an attempt to evade detection. This technique involves using the \u003ccode\u003eattrib.exe\u003c/code\u003e utility to modify file attributes. By setting the hidden attribute, adversaries can conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. This tactic is often employed post-compromise to maintain a stealthy presence within the target environment. Detection focuses on monitoring process executions that involve \u003ccode\u003eattrib.exe\u003c/code\u003e with command-line arguments indicating the modification of the hidden attribute. The rule is designed for data generated by Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows system through various means such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain the necessary permissions to execute system utilities.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003eattrib.exe\u003c/code\u003e to modify the hidden attribute of a malicious file or directory. For example, \u003ccode\u003eattrib.exe +h C:\\path\\to\\malicious\\file.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConcealment: The malicious file or directory is now hidden from normal directory listings, making it harder for users and administrators to detect.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by hiding malicious scripts or executables in startup directories or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the hidden files to move laterally within the network, potentially using them as part of a larger attack campaign.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this attack includes prolonged attacker presence, increased difficulty in detecting malicious activity, and potential data exfiltration or system compromise. While the risk score is relatively low, the technique contributes to a broader attack chain and can significantly hinder incident response efforts. A successful hiding of artifacts might lead to further compromise, data breaches, or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Adding Hidden File Attribute via Attrib\u0026rdquo; to your SIEM to detect suspicious usage of \u003ccode\u003eattrib.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line monitoring in Windows environments to ensure the Sigma rule can capture relevant events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and target files to determine if the activity is legitimate.\u003c/li\u003e\n\u003cli\u003eCorrelate detections of \u003ccode\u003eattrib.exe\u003c/code\u003e with other suspicious activities or alerts on the same host.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden attribute.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-attrib-hidden-file/","summary":"Adversaries can use attrib.exe to add the 'hidden' attribute to files to hide them from users and evade detection, which can be detected by monitoring process executions related to attrib.exe.","title":"Adding Hidden File Attribute via Attrib.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-03-attrib-hidden-file/"}],"language":"en","title":"CraftedSignal Threat Feed — Attrib.exe","version":"https://jsonfeed.org/version/1.1"}