Description
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)
Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
Platforms
Mitigations (1)
Restrict File and Directory PermissionsM1022
Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. (Citation: InsiderThreat NTFS EA Oct 2017)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) used NTFS alternate data streams to hide their payloads.(Citation: Cybereason Cobalt Kitty 2017) |
Associated Software (15)
| ID | Name | Type | Context |
|---|---|---|---|
| S0019 | Regin | Malware | The [Regin](https://attack.mitre.org/software/S0019) malware platform uses Extended Attributes to store encrypted executables.(Citation: Kaspersky Reg... |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak Ma... |
| S0397 | LoJax | Malware | [LoJax](https://attack.mitre.org/software/S0397) has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.(Citation: E... |
| S0404 | esentutl | Tool | [esentutl](https://attack.mitre.org/software/S0404) can be used to read and write alternate data streams.(Citation: LOLBAS Esentutl) |
| S0361 | Expand | Tool | [Expand](https://attack.mitre.org/software/S0361) can be used to download or copy a file into an alternate data stream.(Citation: LOLBAS Expand) |
| S0139 | PowerDuke | Malware | [PowerDuke](https://attack.mitre.org/software/S0139) hides many of its backdoor payloads in an alternate data stream (ADS).(Citation: Volexity PowerDu... |
| S1052 | DEADEYE | Malware | The DEADEYE.EMBED variant of [DEADEYE](https://attack.mitre.org/software/S1052) can embed its payload in an alternate data stream of a local file.(Cit... |
| S0145 | POWERSOURCE | Malware | If the victim is using PowerShell 3.0 or later, [POWERSOURCE](https://attack.mitre.org/software/S0145) writes its decoded payload to an alternate data... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) can delete itself while its process is still running through the use of an alternate data strea... |
| S0612 | WastedLocker | Malware | [WastedLocker](https://attack.mitre.org/software/S0612) has the ability to save and execute files as an alternate data stream (ADS).(Citation: Sentine... |
| S0570 | BitPaymer | Malware | [BitPaymer](https://attack.mitre.org/software/S0570) has copied itself to the <code>:bin</code> alternate data stream of a newly created file.(Citatio... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) can abuse alternate data streams (ADS) to store content for malicious payloads.(Citation: Secureli... |
| S0168 | Gazer | Malware | [Gazer](https://attack.mitre.org/software/S0168) stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.(Citati... |
| S0027 | Zeroaccess | Malware | Some variants of the [Zeroaccess](https://attack.mitre.org/software/S0027) Trojan have been known to store data in Extended Attributes.(Citation: Ciub... |
| S0504 | Anchor | Malware | [Anchor](https://attack.mitre.org/software/S0504) has used NTFS to hide files.(Citation: Cyberreason Anchor December 2019) |
References
- Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.
- Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.
- Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.
- Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.
- Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.
- Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1564.004 (NTFS File Attributes)?
T1564.004 is a MITRE ATT&CK technique named 'NTFS File Attributes'. It belongs to the Stealth tactic(s). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that m...
How can T1564.004 be detected?
Detection of T1564.004 (NTFS File Attributes) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.004?
There are 1 documented mitigations for T1564.004. Key mitigations include: Restrict File and Directory Permissions.
Which threat groups use T1564.004?
Known threat groups using T1564.004 include: APT32.