attrib.exe

  • File Path: C:\Windows\system32\attrib.exe
  • Description: Attribute Utility

Hashes

Type Hash
MD5 5037D8E6670EF1D89FB6AD435F12A9FD
SHA1 B8337FA20077A2C6DB7D01CCC18E328A91255745
SHA256 1043111FF07814B0D3439561B4CEE5D7EC1799A7A0A419949FEE707666F6DDED
SHA384 EB296F04B98E4ADE3517DDCB6B6EFA60BD2B4D2B636A62383E25922C470BE823CA67B876223D9B1532CB0BE227AABED2
SHA512 5BF517A500D25BFA57445E51750A51CEBFC3C325BBCDC5D7EE0E9C3109F5F0DC6259FDE8417A24AFC1C608C44D090BE3630663E0B1536E6FB30E5EAFD4621F4F
SSDEEP 384:/Nm/jtao5pbmww2j3B0UEdsGDv9CBP54OLw6tGfvXWjtW:/Nsjiww2eUAsWCh51tGfvw
IMP 2CB38FE7D8F223D9DA50B7CBA9B95A6D
PESHA1 2BB3502AFE4CFD81386AA37E07C59F887BD74985
PE256 D4B156B92D125EA57B4BB7C1E72C8E06FD8602F85A77EE9AD91E67F77DDDE671

Runtime Data

Usage (stdout):

Displays or changes file attributes.

ATTRIB [+R | -R] [+A | -A] [+S | -S] [+H | -H] [+O | -O] [+I | -I] [+X | -X] [+P | -P] [+U | -U]
       [drive:][path][filename] [/S [/D]] [/L]

  +   Sets an attribute.
  -   Clears an attribute.
  R   Read-only file attribute.
  A   Archive file attribute.
  S   System file attribute.
  H   Hidden file attribute.
  O   Offline attribute.
  I   Not content indexed file attribute.
  X   No scrub file attribute.
  V   Integrity attribute.
  P   Pinned attribute.
  U   Unpinned attribute.
  B   SMR Blob attribute.
  [drive:][path][filename]
      Specifies a file or files for attrib to process.
  /S  Processes matching files in the current folder
      and all subfolders.
  /D  Processes folders as well.
  /L  Work on the attributes of the Symbolic Link versus
      the target of the Symbolic Link


Loaded Modules:

Path
C:\Windows\system32\attrib.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ATTRIB.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/1043111ff07814b0d3439561b4cee5d7ec1799a7a0a419949fee707666f6dded/detection

Possible Misuse

The following table contains possible examples of attrib.exe being misused. While attrib.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_hafnium.yml - 'attrib' DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml title: Hiding Files with Attrib.exe DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml description: Detects usage of attrib.exe to hide files from users. DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml Image\|endswith: '\attrib.exe' DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) DRL 1.0
sigma proc_creation_win_attrib_system.yml title: Set Windows System File with Attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml description: Marks a file as a system file using the attrib.exe utility DRL 1.0
sigma proc_creation_win_attrib_system.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml Image\|endswith: \attrib.exe DRL 1.0
sigma proc_creation_win_file_permission_modifications.yml Image\|endswith: '\attrib.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - attrib.exe DRL 1.0
malware-ioc oceanlotus-macOS.misp.event.json "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir \/a<\/code> for Windows and <code>ls \u2013a<\/code> for Linux and macOS).\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.\n\n### Windows\n\nUsers can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename<\/code> to mark a file or folder as hidden. Similarly, the \u201c+s\u201d marks a file as a system file and the \u201c+r\u201d flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively \u201c\/S\u201d.\n\n### Linux\/Mac\n\nUsers can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES<\/code>, and then relaunch the Finder Application.\n\n### Mac\n\nFiles on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).\nMany applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.", © ESET 2014-2018
malware-ioc oceanlotus-macOS.misp.event.json "https:\/\/docs.microsoft.com\/windows-server\/administration\/windows-commands\/attrib", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #3: Create Windows System File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Create Windows Hidden File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: attrib - Remove read-only attribute [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: attrib - hide file [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Create Windows System File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Create Windows Hidden File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: attrib - Remove read-only attribute [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: attrib - hide file [windows] MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md - Atomic Test #3 - attrib - Remove read-only attribute MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md - Atomic Test #4 - attrib - hide file MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md ## Atomic Test #3 - attrib - Remove read-only attribute MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe -r #{file_or_folder}*.* /s MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +r #{file_or_folder}\T1222.001_attrib1.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md ## Atomic Test #4 - attrib - hide file MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md - Atomic Test #3 - Create Windows System File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md - Atomic Test #4 - Create Windows Hidden File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md ## Atomic Test #3 - Create Windows System File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md | file_to_modify | File to modify using Attrib command | String | %temp%\T1564.001.txt| MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md attrib.exe +s #{file_to_modify} MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md ## Atomic Test #4 - Create Windows Hidden File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md attrib.exe +h #{file_to_modify} MIT License. © 2018 Red Canary
signature-base apt_hafnium_log_sigs.yar $s2 = “aspnet_client&attrib +h +s +r “ CC BY-NC 4.0
signature-base apt_keylogger_cn.yar $x2 = “attrib -s -h -r c:\ntldr” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s7 = “Response.write"<” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “window.open(""&url&"?id=edit&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


attrib

Displays, sets, or removes attributes assigned to files or directories. If used without parameters, attrib displays attributes of all files in the current directory.

Syntax

attrib [{+|-}r] [{+|-}a] [{+|-}s] [{+|-}h] [{+|-}i] [<drive>:][<path>][<filename>] [/s [/d] [/l]]

Parameters

Parameter Description
{+|-}r Sets (+) or clears (-) the Read-only file attribute.
{+\|-}a Sets (+) or clears (-) the Archive file attribute. This attribute set marks files that have changed since the last time they were backed up. Note that the xcopy command uses archive attributes.
{+\|-}s Sets (+) or clears (-) the System file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.
{+\|-}h Sets (+) or clears (-) the Hidden file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.
{+\|-}i Sets (+) or clears (-) the Not Content Indexed file attribute.
[<drive>:][<path>][<filename>] Specifies the location and name of the directory, file, or group of files for which you want to display or change attributes.<p>You can use the ? and * wildcard characters in the filename parameter to display or change the attributes for a group of files.
/s Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories.
/d Applies attrib and any command-line options to directories.
/l Applies attrib and any command-line options to the Symbolic Link, rather than the target of the Symbolic Link.
/? Displays help at the command prompt.

Examples

To display the attributes of a file named News86 that is located in the current directory, type:

attrib news86

To assign the Read-only attribute to the file named report.txt, type:

attrib +r report.txt

To remove the Read-only attribute from files in the public directory and its subdirectories on a disk in drive b:, type:

attrib -r b:\public\*.* /s

To set the Archive attribute for all files on drive a:, and then clear the Archive attribute for files with the .bak extension, type:

attrib +a a:*.* & attrib -a a:*.bak

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.