attrib.exe

  • File Path: C:\Windows\SysWOW64\attrib.exe
  • Description: Attribute Utility

Hashes

Type Hash
MD5 8A6D490C0EC9BE27B97FE1E37CDE1325
SHA1 D1783E413929B312709C58EE1BAC0BD80B2F703B
SHA256 B0FA083D8276EDE756D9E525B18EEBC9067357747228F0D965D452FA194E0C47
SHA384 20A91B58555B3137122F091DDEAD1A137A162944AA84480E55D7DF8A0765CD627EC752E6AD4A5FD1CF7A836E0112AAC5
SHA512 877939CFEF26F5548A84E4579AA2B8B9EFE1FBC45E505056E69BE254B0EC6AA317CF884D3F15A1E94B942FF643605AA699E2FAA51711A36321DAE4309B82D3C8
SSDEEP 384:l6RtFqGdTDEhg5qqGiH1ZNQqYCfw3W4tWY:l6HFqGPES2Cfwbf
IMP F0A82FEBA5B0EF2BE614622AE3E32C1C
PESHA1 6DF0A3CD15CF1CFCEE0E1C6C93AE99F039A96FCE
PE256 F5913BE4079DC309F522D06580E634F14047FD20F2430AE7F7259F243F3E6A7F

Runtime Data

Usage (stdout):

Displays or changes file attributes.

ATTRIB [+R | -R] [+A | -A] [+S | -S] [+H | -H] [+O | -O] [+I | -I] [+X | -X] [+P | -P] [+U | -U]
       [drive:][path][filename] [/S [/D]] [/L]

  +   Sets an attribute.
  -   Clears an attribute.
  R   Read-only file attribute.
  A   Archive file attribute.
  S   System file attribute.
  H   Hidden file attribute.
  O   Offline attribute.
  I   Not content indexed file attribute.
  X   No scrub file attribute.
  V   Integrity attribute.
  P   Pinned attribute.
  U   Unpinned attribute.
  B   SMR Blob attribute.
  [drive:][path][filename]
      Specifies a file or files for attrib to process.
  /S  Processes matching files in the current folder
      and all subfolders.
  /D  Processes folders as well.
  /L  Work on the attributes of the Symbolic Link versus
      the target of the Symbolic Link


Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\attrib.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ATTRIB.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/b0fa083d8276ede756d9e525b18eebc9067357747228f0d965d452fa194e0c47/detection/

Possible Misuse

The following table contains possible examples of attrib.exe being misused. While attrib.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_hafnium.yml - 'attrib' DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml title: Hiding Files with Attrib.exe DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml description: Detects usage of attrib.exe to hide files from users. DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml Image\|endswith: '\attrib.exe' DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) DRL 1.0
sigma proc_creation_win_attrib_system.yml title: Set Windows System File with Attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml description: Marks a file as a system file using the attrib.exe utility DRL 1.0
sigma proc_creation_win_attrib_system.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml Image\|endswith: \attrib.exe DRL 1.0
sigma proc_creation_win_file_permission_modifications.yml Image\|endswith: '\attrib.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - attrib.exe DRL 1.0
malware-ioc oceanlotus-macOS.misp.event.json "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir \/a<\/code> for Windows and <code>ls \u2013a<\/code> for Linux and macOS).\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.\n\n### Windows\n\nUsers can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename<\/code> to mark a file or folder as hidden. Similarly, the \u201c+s\u201d marks a file as a system file and the \u201c+r\u201d flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively \u201c\/S\u201d.\n\n### Linux\/Mac\n\nUsers can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES<\/code>, and then relaunch the Finder Application.\n\n### Mac\n\nFiles on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).\nMany applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.", © ESET 2014-2018
malware-ioc oceanlotus-macOS.misp.event.json "https:\/\/docs.microsoft.com\/windows-server\/administration\/windows-commands\/attrib", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #3: Create Windows System File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Create Windows Hidden File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: attrib - Remove read-only attribute [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: attrib - hide file [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Create Windows System File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Create Windows Hidden File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: attrib - Remove read-only attribute [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: attrib - hide file [windows] MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md - Atomic Test #3 - attrib - Remove read-only attribute MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md - Atomic Test #4 - attrib - hide file MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md ## Atomic Test #3 - attrib - Remove read-only attribute MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe -r #{file_or_folder}*.* /s MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +r #{file_or_folder}\T1222.001_attrib1.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md ## Atomic Test #4 - attrib - hide file MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md - Atomic Test #3 - Create Windows System File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md - Atomic Test #4 - Create Windows Hidden File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md ## Atomic Test #3 - Create Windows System File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md | file_to_modify | File to modify using Attrib command | String | %temp%\T1564.001.txt| MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md attrib.exe +s #{file_to_modify} MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md ## Atomic Test #4 - Create Windows Hidden File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md attrib.exe +h #{file_to_modify} MIT License. © 2018 Red Canary
signature-base apt_hafnium_log_sigs.yar $s2 = “aspnet_client&attrib +h +s +r “ CC BY-NC 4.0
signature-base apt_keylogger_cn.yar $x2 = “attrib -s -h -r c:\ntldr” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s7 = “Response.write"<” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “window.open(""&url&"?id=edit&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


attrib

Displays, sets, or removes attributes assigned to files or directories. If used without parameters, attrib displays attributes of all files in the current directory.

Syntax

attrib [{+|-}r] [{+|-}a] [{+|-}s] [{+|-}h] [{+|-}i] [<drive>:][<path>][<filename>] [/s [/d] [/l]]

Parameters

Parameter Description
{+|-}r Sets (+) or clears (-) the Read-only file attribute.
{+\|-}a Sets (+) or clears (-) the Archive file attribute. This attribute set marks files that have changed since the last time they were backed up. Note that the xcopy command uses archive attributes.
{+\|-}s Sets (+) or clears (-) the System file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.
{+\|-}h Sets (+) or clears (-) the Hidden file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.
{+\|-}i Sets (+) or clears (-) the Not Content Indexed file attribute.
[<drive>:][<path>][<filename>] Specifies the location and name of the directory, file, or group of files for which you want to display or change attributes.<p>You can use the ? and * wildcard characters in the filename parameter to display or change the attributes for a group of files.
/s Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories.
/d Applies attrib and any command-line options to directories.
/l Applies attrib and any command-line options to the Symbolic Link, rather than the target of the Symbolic Link.
/? Displays help at the command prompt.

Examples

To display the attributes of a file named News86 that is located in the current directory, type:

attrib news86

To assign the Read-only attribute to the file named report.txt, type:

attrib +r report.txt

To remove the Read-only attribute from files in the public directory and its subdirectories on a disk in drive b:, type:

attrib -r b:\public\*.* /s

To set the Archive attribute for all files on drive a:, and then clear the Archive attribute for files with the .bak extension, type:

attrib +a a:*.* & attrib -a a:*.bak

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.