Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1564.004 | NTFS File Attributes |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of NTFS File Attribute Manipulation attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
NTFS File Attribute Manipulation techniques involve adversaries altering file system attributes (such as hidden or system file flags) to conceal malicious files or evade detection by security tools. These techniques are commonly used to hide files, make them appear legitimate, or prevent them from being scanned by traditional security defenses. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the rapid detection of abnormal behaviors that could indicate unauthorized changes to NTFS file attributes.
Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized modifications to NTFS file attributes, providing proactive defense against these evasive attack techniques and strengthening the protection of critical systems.
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1564.004 | NTFS File Attributes |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of NTFS File Attribute Manipulation attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
NTFS File Attribute Manipulation techniques involve adversaries altering file system attributes (such as hidden or system file flags) to conceal malicious files or evade detection by security tools. These techniques are commonly used to hide files, make them appear legitimate, or prevent them from being scanned by traditional security defenses. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the rapid detection of abnormal behaviors that could indicate unauthorized changes to NTFS file attributes.
Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized modifications to NTFS file attributes, providing proactive defense against these evasive attack techniques and strengthening the protection of critical systems.
References
|