some applications and users may legitimately use attrib.exe to interact with the files.

Techniques

T1222.001

Sample rules

Hiding Files And Directories With Attrib exe

source: splunk
technicques:
- T1222.001

Description

The following analytic detects the use of the Windows binary attrib.exe to hide files or directories by marking them with specific flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include the “+h” flag. This activity is significant because hiding files can be a tactic used by attackers to conceal malicious files or tools from users and security software. If confirmed malicious, this behavior could allow an attacker to persist in the environment undetected, potentially leading to further compromise or data exfiltration.

Detection logic


| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name=attrib.exe (Processes.process=*+h*)
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product

| `drop_dm_object_name("Processes")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `hiding_files_and_directories_with_attrib_exe_filter`