Hiding Files And Directories With Attrib.exe

Description

Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium (?)

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion
Persistence

MITRE ATT&CK Techniques

Hidden Files and Directories

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Hiding Files And Directories With Attrib.exe Help

This search is looking to detect command-line execution with of attrib.exe binary with the +h flag set. The +h flag is used to hide a file.