attrib.exe
- File Path:
C:\Windows\SysWOW64\attrib.exe - Description: Attribute Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | 0E938DD280E83B1596EC6AA48729C2B0 |
| SHA1 | 831EF11DA10DE2706EF6920D58CB3CC145148B27 |
| SHA256 | 1DD136CD5B90C2ABC4F163429A99ED32A7D4B047407DF45D96E20130F8B14920 |
| SHA384 | D88AAE456106BFBA204A09811B5174986EF7B58BB9EAE5A85258D3C6334624B29C1C1A962B7884D1D69AE4137330A220 |
| SHA512 | 5DF2F8157AA0EA3C32ECE1041DD4B31A6AE915E17223B7C5A14AF403023945F83AC41A872D0883684735C166150AA65A205344D6163443A5CEDAF4CB546C9D40 |
| SSDEEP | 384:mnfAhEVYUnsthqUHFOQw61Z8EI/5fw3WjtWEBw:mn4hEC1vqUHVO5fwQdK |
| IMP | F0A82FEBA5B0EF2BE614622AE3E32C1C |
| PESHA1 | E7D6EF1C3AEDE4303A8C10728B3CB58400650472 |
| PE256 | 7158B349B67B87161BE1CF5D048DC9863DB8DB974298BB7559EB2F6A289D4FBC |
Runtime Data
Usage (stdout):
Displays or changes file attributes.
ATTRIB [+R | -R] [+A | -A] [+S | -S] [+H | -H] [+O | -O] [+I | -I] [+X | -X] [+P | -P] [+U | -U]
[drive:][path][filename] [/S [/D]] [/L]
+ Sets an attribute.
- Clears an attribute.
R Read-only file attribute.
A Archive file attribute.
S System file attribute.
H Hidden file attribute.
O Offline attribute.
I Not content indexed file attribute.
X No scrub file attribute.
V Integrity attribute.
P Pinned attribute.
U Unpinned attribute.
B SMR Blob attribute.
[drive:][path][filename]
Specifies a file or files for attrib to process.
/S Processes matching files in the current folder
and all subfolders.
/D Processes folders as well.
/L Work on the attributes of the Symbolic Link versus
the target of the Symbolic Link
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\attrib.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: ATTRIB.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/1dd136cd5b90c2abc4f163429a99ed32a7d4b047407df45d96e20130f8b14920/detection
Possible Misuse
The following table contains possible examples of attrib.exe being misused. While attrib.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_apt_hafnium.yml | - 'attrib' |
DRL 1.0 |
| sigma | proc_creation_win_attrib_hiding_files.yml | title: Hiding Files with Attrib.exe |
DRL 1.0 |
| sigma | proc_creation_win_attrib_hiding_files.yml | description: Detects usage of attrib.exe to hide files from users. |
DRL 1.0 |
| sigma | proc_creation_win_attrib_hiding_files.yml | Image\|endswith: '\attrib.exe' |
DRL 1.0 |
| sigma | proc_creation_win_attrib_hiding_files.yml | - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) |
DRL 1.0 |
| sigma | proc_creation_win_attrib_system.yml | title: Set Windows System File with Attrib |
DRL 1.0 |
| sigma | proc_creation_win_attrib_system.yml | description: Marks a file as a system file using the attrib.exe utility |
DRL 1.0 |
| sigma | proc_creation_win_attrib_system.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib |
DRL 1.0 |
| sigma | proc_creation_win_attrib_system.yml | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib |
DRL 1.0 |
| sigma | proc_creation_win_attrib_system.yml | Image\|endswith: \attrib.exe |
DRL 1.0 |
| sigma | proc_creation_win_file_permission_modifications.yml | Image\|endswith: '\attrib.exe' |
DRL 1.0 |
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - attrib.exe |
DRL 1.0 |
| malware-ioc | oceanlotus-macOS.misp.event.json | "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir \/a<\/code> for Windows and <code>ls \u2013a<\/code> for Linux and macOS).\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.\n\n### Windows\n\nUsers can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename<\/code> to mark a file or folder as hidden. Similarly, the \u201c+s\u201d marks a file as a system file and the \u201c+r\u201d flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively \u201c\/S\u201d.\n\n### Linux\/Mac\n\nUsers can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES<\/code>, and then relaunch the Finder Application.\n\n### Mac\n\nFiles on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).\nMany applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-macOS.misp.event.json | "https:\/\/docs.microsoft.com\/windows-server\/administration\/windows-commands\/attrib", |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #3: Create Windows System File with Attrib [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Create Windows Hidden File with Attrib [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: attrib - Remove read-only attribute [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: attrib - hide file [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Create Windows System File with Attrib [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Create Windows Hidden File with Attrib [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: attrib - Remove read-only attribute [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: attrib - hide file [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | - Atomic Test #3 - attrib - Remove read-only attribute | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | - Atomic Test #4 - attrib - hide file | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | ## Atomic Test #3 - attrib - Remove read-only attribute | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | attrib.exe -r #{file_or_folder}*.* /s | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | attrib.exe +r #{file_or_folder}\T1222.001_attrib1.txt | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | ## Atomic Test #4 - attrib - hide file | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt | MIT License. © 2018 Red Canary |
| atomic-red-team | T1222.001.md | attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | - Atomic Test #3 - Create Windows System File with Attrib | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | - Atomic Test #4 - Create Windows Hidden File with Attrib | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | ## Atomic Test #3 - Create Windows System File with Attrib | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | | file_to_modify | File to modify using Attrib command | String | %temp%\T1564.001.txt| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | attrib.exe +s #{file_to_modify} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | ## Atomic Test #4 - Create Windows Hidden File with Attrib | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.001.md | attrib.exe +h #{file_to_modify} | MIT License. © 2018 Red Canary |
| signature-base | apt_hafnium_log_sigs.yar | $s2 = “aspnet_client&attrib +h +s +r “ | CC BY-NC 4.0 |
| signature-base | apt_keylogger_cn.yar | $x2 = “attrib -s -h -r c:\ntldr” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s7 = “Response.write"<” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s0 = “window.open(""&url&"?id=edit&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp” | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
attrib
Displays, sets, or removes attributes assigned to files or directories. If used without parameters, attrib displays attributes of all files in the current directory.
Syntax
attrib [{+|-}r] [{+|-}a] [{+|-}s] [{+|-}h] [{+|-}i] [<drive>:][<path>][<filename>] [/s [/d] [/l]]
Parameters
| Parameter | Description |
|---|---|
{+|-}r |
Sets (+) or clears (-) the Read-only file attribute. |
{+\|-}a |
Sets (+) or clears (-) the Archive file attribute. This attribute set marks files that have changed since the last time they were backed up. Note that the xcopy command uses archive attributes. |
{+\|-}s |
Sets (+) or clears (-) the System file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file. |
{+\|-}h |
Sets (+) or clears (-) the Hidden file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file. |
{+\|-}i |
Sets (+) or clears (-) the Not Content Indexed file attribute. |
[<drive>:][<path>][<filename>] |
Specifies the location and name of the directory, file, or group of files for which you want to display or change attributes.<p>You can use the ? and * wildcard characters in the filename parameter to display or change the attributes for a group of files. |
| /s | Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories. |
| /d | Applies attrib and any command-line options to directories. |
| /l | Applies attrib and any command-line options to the Symbolic Link, rather than the target of the Symbolic Link. |
| /? | Displays help at the command prompt. |
Examples
To display the attributes of a file named News86 that is located in the current directory, type:
attrib news86
To assign the Read-only attribute to the file named report.txt, type:
attrib +r report.txt
To remove the Read-only attribute from files in the public directory and its subdirectories on a disk in drive b:, type:
attrib -r b:\public\*.* /s
To set the Archive attribute for all files on drive a:, and then clear the Archive attribute for files with the .bak extension, type:
attrib +a a:*.* & attrib -a a:*.bak
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.