AN0091: Analytic 0091
Suspicious use of attrib.exe or PowerShell commands to set hidden attributes on files/directories. Defender view: processes modifying file attributes to 'hidden' or creating files with ADS (alternate data streams).
Analyst context for executives and security teams
AN0091 highlights a Windows detection analytic for suspicious hiding of files or directories using attrib.exe, PowerShell, or alternate data streams. For leaders, the value is not the specific command name; it is whether the organization can see when files are being deliberately concealed on endpoints, which can affect investigation speed, audit confidence, and resilience during a suspected intrusion.
Executive priority
Prioritize this as an endpoint visibility and incident-readiness question: can the SOC prove it collects enough Windows process and file attribute evidence to identify suspicious hidden-file activity? This matters for containment decisions, compliance evidence, and reducing blind spots where unauthorized tools, scripts, or staged files may be obscured from normal user and administrator views.
Technical view
Validate Windows telemetry for processes modifying file attributes to hidden and for file creation involving alternate data streams. Detection engineering should focus on attrib.exe and PowerShell activity associated with hidden attribute changes, then tune against legitimate administrative, software deployment, backup, and system-management activity. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, local baselining is required before treating matches as high-confidence incidents.
Likely telemetry
- Windows process creation events including command-line arguments for attrib.exe and PowerShell
- File metadata or file attribute change events showing hidden attribute modifications
- File creation telemetry that can expose alternate data stream usage
- Endpoint detection and response records linking process, user, host, and file path context
- Administrative script execution logs where PowerShell activity is centrally collected
Detection direction
- Confirm process command-line collection is enabled and retained for Windows endpoints.
- Test whether the SOC can distinguish hidden attribute changes by normal administrators or software from unusual user, path, or process patterns.
- Validate visibility into alternate data stream file creation, since standard file inventory or directory listings may not expose it.
- Correlate attribute-changing processes with user identity, parent process, host role, and target path to reduce false positives.
- Document gaps where file attribute changes are not logged or where PowerShell command details are unavailable.
Mitigation priorities
- Ensure endpoint logging and EDR policy capture Windows process command lines and relevant file modification metadata.
- Restrict unnecessary administrative script execution where appropriate and monitor PowerShell use according to organizational policy.
- Harden endpoint management practices so legitimate hidden-file operations are documented and easier to baseline.
- Include hidden-file and alternate-data-stream visibility checks in incident response readiness exercises.
- Use detection results as supporting evidence, not standalone proof of malicious activity, until corroborated with host, user, and file context.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic description for AN0091. It is most useful as a coverage-validation item for Windows endpoint monitoring rather than as a complete detection rule. The absence of supplied relationships means no specific technique, campaign, software, or actor context should be inferred.
Official detection logic was not provided, tactics were not specified, and no relationships were supplied. Coverage and severity depend on the organization’s Windows logging, EDR capabilities, PowerShell visibility, file metadata collection, and local administrative baselines.
Analytic 0091
Suspicious use of attrib.exe or PowerShell commands to set hidden attributes on files/directories. Defender view: processes modifying file attributes to 'hidden' or creating files with ADS (alternate data streams).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a48d8afc7c36… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0091Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.