Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1564.004 | NTFS File Attributes |
| AC-3 | Access Enforcement | Protects | T1564.004 | NTFS File Attributes |
| CA-7 | Continuous Monitoring | Protects | T1564.004 | NTFS File Attributes |
| SI-3 | Malicious Code Protection | Protects | T1564.004 | NTFS File Attributes |
| SI-4 | System Monitoring | Protects | T1564.004 | NTFS File Attributes |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1564.004 | NTFS File Attributes |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1564.004 | Hide Artifacts: NTFS File Attributes |