Monitor and detect suspicious use of attrib.exe to prevent stealthy malware behavior
Attackers can exploit native Windows utilities to evade detection and blend in with legitimate system activity. One such utility is attrib.exe, which is used to alter file attributes like visibility and read-only access. When misused, it can hide malware, tools, or payloads in plain sight—simply by marking them as hidden.
Log360’s correlation rules help detect such attempts early by monitoring for abnormal or unauthorized use of attrib.exe on endpoints.
What is attrib.exe?
A legitimate Windows command-line utility, attrib.exe is used by system administrators to view or modify file and folder attributes. With attrib.exe, users can assign or remove file properties such as hidden, read-only, system, and archive. For example:
attrib +h +s C:\example\file.exe
This command makes a file both hidden and system-protected, effectively concealing it from default views in Windows File Explorer.
While useful for legitimate purposes, attrib.exe is also commonly abused by attackers. Since it's a native Windows binary and digitally signed by Microsoft, its execution often flies under the radar of traditional antivirus tools. This makes it a living-off-the-land binary—a legitimate tool abused for malicious purposes.
Why attackers use attrib.exe to hide files
While attrib.exe is a legitimate command-line utility used by administrators to change file or folder attributes, attackers use it to:
- Hide payloads before or after execution.
- Conceal malicious scripts or binaries from routine reviews.
- Avoid detection by basic file system monitoring tools.
- Maintain persistence in infected machines.
As a native binary, organizations need to specifically monitor for nefarious uses of attrib.exe.
Real-world attack example:
A threat actor drops a malicious payload and executes the following command:
attrib +h +s C:\Users\Public\payload.exe
This command makes the file both hidden and system-level, effectively concealing it from default Windows Explorer views and routine inspection. It’s often used as a precursor to executing or staging an attack.
What to monitor:
Monitoring for attrib.exe alone isn’t enough; it’s the context that reveals suspicious behavior. Look for:
- attrib.exe execution with +h, +s, or both.
- File hiding activity occurring soon after file creation or download.
- Repeated hiding activity across multiple endpoints.
- Non-admin users executing attrib.exe on sensitive paths.
- attrib.exe used in scripts or run from temporary folders.
These behaviors can indicate stealthy malware deployment, privilege abuse, or attempts at data staging.
How Log360 detects attrib.exe usage in hidden file attacks
Log360 includes correlation rules that detect unusual use of attrib.exe by evaluating execution context, user role, command-line arguments, and file path patterns.
Detection logic:
("Process name" is "attrib.exe")
AND
("Command line" contains "+h" OR "+s")
AND
("File path" matches suspicious directories like "\Users\Public", "\Temp", or "\AppData")
This rule generates an alert when attrib.exe is used to hide files in commonly abused locations. By correlating this activity with user behavior and file events, Log360 helps surface hidden threats that would otherwise evade detection.
To learn more about how this rule works, visit our Correlation Rule Library.
