attrib.exe

  • File Path: C:\Windows\system32\attrib.exe
  • Description: Attribute Utility

Hashes

Type Hash
MD5 E2B44D665E20F6FF5C453E0BD450D6FB
SHA1 3A5684E9496357F7A2AAD5ECB175C3DC99C1D7FC
SHA256 F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2
SHA384 B86F9206323866A0079629C0EEB01903C81DCC57F13F705D6DFF82835D83327779E80AF39175EF25E9A13AF5FC764A9E
SHA512 32974CCC40AE7490FC51CA529AAB40EBC8CF6B7873DE845875EFD3FA0631637984AD50215C9F1C418ACCCAD8EF5E8C1129B4DFE63E3B40C84BB9BFDB0F4BCFAB
SSDEEP 384:hkOm9rkgs4iO70XbuqT5m/yDfqBZSFwWPW8tW:hyrkt4ibiqeyIZSFR3

Runtime Data

Usage (stdout):

Displays or changes file attributes.

ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I] 
       [drive:][path][filename] [/S [/D] [/L]]

  +   Sets an attribute.
  -   Clears an attribute.
  R   Read-only file attribute.
  A   Archive file attribute.
  S   System file attribute.
  H   Hidden file attribute.
  I   Not content indexed file attribute.
  X   No scrub file attribute.
  V   Integrity attribute.  
  [drive:][path][filename]
      Specifies a file or files for attrib to process.
  /S  Processes matching files in the current folder
      and all subfolders.
  /D  Processes folders as well.
  /L  Work on the attributes of the Symbolic Link versus
      the target of the Symbolic Link


Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ATTRIB.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of attrib.exe being misused. While attrib.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_hafnium.yml - 'attrib' DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml title: Hiding Files with Attrib.exe DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml description: Detects usage of attrib.exe to hide files from users. DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml Image\|endswith: '\attrib.exe' DRL 1.0
sigma proc_creation_win_attrib_hiding_files.yml - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) DRL 1.0
sigma proc_creation_win_attrib_system.yml title: Set Windows System File with Attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml description: Marks a file as a system file using the attrib.exe utility DRL 1.0
sigma proc_creation_win_attrib_system.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib DRL 1.0
sigma proc_creation_win_attrib_system.yml Image\|endswith: \attrib.exe DRL 1.0
sigma proc_creation_win_file_permission_modifications.yml Image\|endswith: '\attrib.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - attrib.exe DRL 1.0
malware-ioc oceanlotus-macOS.misp.event.json "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir \/a<\/code> for Windows and <code>ls \u2013a<\/code> for Linux and macOS).\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.\n\n### Windows\n\nUsers can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename<\/code> to mark a file or folder as hidden. Similarly, the \u201c+s\u201d marks a file as a system file and the \u201c+r\u201d flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively \u201c\/S\u201d.\n\n### Linux\/Mac\n\nUsers can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES<\/code>, and then relaunch the Finder Application.\n\n### Mac\n\nFiles on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).\nMany applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.", © ESET 2014-2018
malware-ioc oceanlotus-macOS.misp.event.json "https:\/\/docs.microsoft.com\/windows-server\/administration\/windows-commands\/attrib", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #3: Create Windows System File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Create Windows Hidden File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: attrib - Remove read-only attribute [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: attrib - hide file [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Create Windows System File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Create Windows Hidden File with Attrib [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: attrib - Remove read-only attribute [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: attrib - hide file [windows] MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md - Atomic Test #3 - attrib - Remove read-only attribute MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md - Atomic Test #4 - attrib - hide file MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md ## Atomic Test #3 - attrib - Remove read-only attribute MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe -r #{file_or_folder}*.* /s MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +r #{file_or_folder}\T1222.001_attrib1.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md ## Atomic Test #4 - attrib - hide file MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt MIT License. © 2018 Red Canary
atomic-red-team T1222.001.md attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md - Atomic Test #3 - Create Windows System File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md - Atomic Test #4 - Create Windows Hidden File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md ## Atomic Test #3 - Create Windows System File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md | file_to_modify | File to modify using Attrib command | String | %temp%\T1564.001.txt| MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md attrib.exe +s #{file_to_modify} MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md ## Atomic Test #4 - Create Windows Hidden File with Attrib MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file MIT License. © 2018 Red Canary
atomic-red-team T1564.001.md attrib.exe +h #{file_to_modify} MIT License. © 2018 Red Canary
signature-base apt_hafnium_log_sigs.yar $s2 = “aspnet_client&attrib +h +s +r “ CC BY-NC 4.0
signature-base apt_keylogger_cn.yar $x2 = “attrib -s -h -r c:\ntldr” fullword ascii CC BY-NC 4.0
signature-base thor-webshells.yar $s7 = “Response.write"<” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “window.open(""&url&"?id=edit&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


attrib

Displays, sets, or removes attributes assigned to files or directories. If used without parameters, attrib displays attributes of all files in the current directory.

Syntax

attrib [{+|-}r] [{+|-}a] [{+|-}s] [{+|-}h] [{+|-}i] [<drive>:][<path>][<filename>] [/s [/d] [/l]]

Parameters

Parameter Description
{+|-}r Sets (+) or clears (-) the Read-only file attribute.
{+\|-}a Sets (+) or clears (-) the Archive file attribute. This attribute set marks files that have changed since the last time they were backed up. Note that the xcopy command uses archive attributes.
{+\|-}s Sets (+) or clears (-) the System file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.
{+\|-}h Sets (+) or clears (-) the Hidden file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.
{+\|-}i Sets (+) or clears (-) the Not Content Indexed file attribute.
[<drive>:][<path>][<filename>] Specifies the location and name of the directory, file, or group of files for which you want to display or change attributes.<p>You can use the ? and * wildcard characters in the filename parameter to display or change the attributes for a group of files.
/s Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories.
/d Applies attrib and any command-line options to directories.
/l Applies attrib and any command-line options to the Symbolic Link, rather than the target of the Symbolic Link.
/? Displays help at the command prompt.

Examples

To display the attributes of a file named News86 that is located in the current directory, type:

attrib news86

To assign the Read-only attribute to the file named report.txt, type:

attrib +r report.txt

To remove the Read-only attribute from files in the public directory and its subdirectories on a disk in drive b:, type:

attrib -r b:\public\*.* /s

To set the Archive attribute for all files on drive a:, and then clear the Archive attribute for files with the .bak extension, type:

attrib +a a:*.* & attrib -a a:*.bak

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.