Attribute Manipulation (Read-Only)

• Description: This technique involves changing the standard file attributes (like Read-Only, Hidden, System) of specific files or folders to hinder detection or prevent logging mechanisms from functioning correctly.

• Mechanism: Uses standard Windows functionality:

  • File Properties GUI (Right-click > Properties > Check "Read-only" or "Hidden").

  • Command-line tool attrib (e.g., attrib +r +h C:\path\to\file).

  • PowerShell commands (Set-ItemProperty).

• Why Cheaters Use It (Screensharing Context): The most common malicious use in screensharing involves setting the Read-Only attribute (+r) on Prefetch files (.pf) located in C:\Windows\Prefetch.

  • Prefetch Bypass: When a .pf file is marked as read-only, the SysMain service is prevented from updating its contents (like the Last Execution Time and Run Count) upon subsequent launches of the corresponding application. This effectively "freezes" the Prefetch entry, making a recently executed cheat appear as if it hasn't been run since the date recorded before the attribute was set, thus hiding recent activity from Prefetch analysis.

  • Hiding Files: Setting the Hidden attribute (+h) is also commonly used to simply hide cheat files or related folders from default views in File Explorer.

• Detection:

  • Checking Attributes: Directly check the attributes of suspicious files (especially .pf files showing old timestamps despite other execution evidence).

    • In File Explorer (Properties > General).

    • In Command Prompt: Use dir /ar C:\Windows\Prefetch to list files with the read-only attribute, or dir /ah C:\path\ for hidden files.

  • USN Journal ($UsnJrnl): Changing file attributes (including setting Read-Only or Hidden) generates a BASIC_INFO_CHANGE | CLOSE event in the Journal for the affected file. Finding recent BASIC_INFO_CHANGE events specifically for .pf files is a strong indicator of Prefetch tampering.