- Home
- Correlation Rule Library
- Hiding Files using Attrib.exe
Hiding Files using Attrib.exe
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
The Attrib.exe is a command-line tool in Windows that is used to set and view file and directory attributes such as read-only, hidden, archive, and system.
It can be leveraged by attackers to manipulate the file attributes to hide files on the system.
Attack chain scenario: Insider threat -> Unauthorized file manipulation -> Hiding files using attrib.exe -> Data tampering
Impact:
This can affect the organizations in the following ways:
- Downloading and executing malwares
- Data exfiltration
- Data tampering
Data source:
Windows > Process Creation
Required configuration: This rule is based on process creation and termination events. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0005- Defense Evasion
Technique: T1564- Hide Artifacts
Sub Technique: T1564.0011- Hidden Files and Directories
Criteria:
( ( Command Line contains "+h" ) OR ( Command Line contains "-h" ) AND ( Command Line not contains "+R" ) AND ( Command Line not contains "-R" ) AND ( Command Line not contains "+S" ) AND ( Command Line not contains "-S" ) AND ( Command Line not contains "+A" ) AND ( Command Line not contains "-A" ) AND ( Command Line not contains ".cui" ) AND ( Command Line not contains ".ini" ) ) AND ( ( Process Name = "*attrib.exe" ) )
+h, -h: These parameters make the files and folders hidden and visible again in the standard listings, respectively.
+r, -r: These parameters sets and removes the read-only attribute on a specified file or directory respectively.
+s, -s: These parameters add and remove the system attribute to a specified file or directory respectively.
+a, -a: These parameters sets and removes the archive attribute on a specified file or directory respectively.
.cui: Customizable user interface configuration files.
.ini: Configuration files used by applications to store the settings.
*attrib.exe: Modifies file or directory attributes.
When to enable this rule:
Enabling this rule will help you meet the security standard's requirement listed below:
Security standards (NIST CSF 2.0):
PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.
When this rule is triggered, you're notified of a potential modification of file attributes using attrib. This enables you to review the access and permissions, take corrective measures, such as regularly monitor the use of tools for any unauthorized access.
Known false positives: This rule is unlikely to create a false positive, but add additional criteria if required, such as a specific file path, to refine the rule further.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Permissions: Restrict the use of attrib.exe to only authorized users.
