T1564.004: NTFS File Attributes
| View on MITRE ATT&CK | T1564.004 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
OS API Execution (Process)
Operating system function/method calls executed by a processCommand Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )File Metadata (File)
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Run PowerShell Script from ADS
NTFS Alternate Data Stream
Exports Registry Key To an Alternate Data Stream
Use NTFS Short Name in Command Line
Use NTFS Short Name in Image
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Potential Rundll32 Execution With DLL Stored In ADS
Execute From Alternate Data Streams
Insensitive Subfolder Search Via Findstr.EXE
Suspicious File Download From File Sharing Websites
Remote File Download Via Findstr.EXE
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Suspicious Diantz Alternate Data Stream Execution
HackTool Named File Stream Created
PrintBrm ZIP Creation of Extraction
Use Short Name Path in Image
Unusual File Download From File Sharing Websites
Hidden Executable In NTFS Alternate Data Stream
Suspicious Extrac32 Alternate Data Stream Execution
Unusual File Download from Direct IP Address
Powershell Store File In Alternate Data Stream
Use Short Name Path in Command Line
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.