Technique on mitre.org

T1564.004: NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-601: Alternate_Data_Stream: A command that uses Alternate Data Streams is executed mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started

Detection

ID	DS0022	Data source and component	File: File Modification	Description	There are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: `file.ext:ads[.ext]`) is commonly associated with ADSs. For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.

ID	DS0022	Data source and component	File: File Metadata	Description	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, may use NTFS file attributes to hide their malicious data in order to evade detection. Forensic techniques exist to identify information stored in NTFS EA.

ID	DS0017	Data source and component	Command: Command Execution	Description	The Streams tool of Sysinternals can be used to uncover files with ADSs. The `dir /r` command can also be used to display ADSs. Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a `-stream` parameter to interact with ADSs.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for process execution that may use NTFS file attributes to hide their malicious data in order to evade detection. Analytic 1 - NTFS Alternate Data Stream Execution : System Utilities (Powershell) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\powershell.exe" \| regex CommandLine= "Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.\b(\w+(.\w+)?):(\w+(.\w+)?)\|-ep bypass\s+-\s+<.\b(\w+(.\w+)?):(\w+(.\w+)?)\|-command.Get-Content.-Stream.Set-Content.start-process .(\w+(.\w+)?)"` Analytic 2 - NTFS Alternate Data Stream Execution : System Utilities (WMIC) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wmic.exe" \| regex CommandLine= "process call create."(\w+(.\w+)?):(\w+(.\w+)?)"` Analytic 3 - NTFS Alternate Data Stream Execution : System Utilities (rundll32) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\rundll32.exe" \| regex CommandLine= ""?(\w+(.\w+)?):(\w+(.\w+)?)?"?,\w+\|(advpack.dll\|ieadvpack.dll),RegisterOCX\s+(\w+.\w+):(\w+(.\w+)?)\|(shdocvw.dll\|ieframe.dll),OpenURL.(\w+.\w+):(\w+(.\w+)?)"` Analytic 4 - NTFS Alternate Data Stream Execution : System Utilities (wscript/cscript) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wscript.exe" OR Image= "C:\Windows\\cscript.exe)" \| regex CommandLine= "(?`

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor calls to the `ZwSetEaFile` and `ZwQueryEaFile` Windows API functions as well as binaries used to interact with EA, and consider regularly scanning for the presence of modified information.

ID	Data source and component	Description
DS0022	File: File Modification	There are many ways to create and interact with ADSs using Windows utilities. Monitor for operations (execution, copies, etc.) with file names that contain colons. This syntax (ex: `file.ext:ads[.ext]`) is commonly associated with ADSs. For a more exhaustive list of utilities that can be used to execute and create ADSs, see https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f.
DS0022	File: File Metadata	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, may use NTFS file attributes to hide their malicious data in order to evade detection. Forensic techniques exist to identify information stored in NTFS EA.
DS0017	Command: Command Execution	The Streams tool of Sysinternals can be used to uncover files with ADSs. The `dir /r` command can also be used to display ADSs. Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a `-stream` parameter to interact with ADSs.
DS0009	Process: Process Creation	Monitor for process execution that may use NTFS file attributes to hide their malicious data in order to evade detection. Analytic 1 - NTFS Alternate Data Stream Execution : System Utilities (Powershell) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\powershell.exe" \| regex CommandLine= "Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.\b(\w+(.\w+)?):(\w+(.\w+)?)\|-ep bypass\s+-\s+<.\b(\w+(.\w+)?):(\w+(.\w+)?)\|-command.Get-Content.-Stream.Set-Content.start-process .(\w+(.\w+)?)"` Analytic 2 - NTFS Alternate Data Stream Execution : System Utilities (WMIC) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wmic.exe" \| regex CommandLine= "process call create."(\w+(.\w+)?):(\w+(.\w+)?)"` Analytic 3 - NTFS Alternate Data Stream Execution : System Utilities (rundll32) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\rundll32.exe" \| regex CommandLine= ""?(\w+(.\w+)?):(\w+(.\w+)?)?"?,\w+\|(advpack.dll\|ieadvpack.dll),RegisterOCX\s+(\w+.\w+):(\w+(.\w+)?)\|(shdocvw.dll\|ieframe.dll),OpenURL.(\w+.\w+):(\w+(.\w+)?)"` Analytic 4 - NTFS Alternate Data Stream Execution : System Utilities (wscript/cscript) `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wscript.exe" OR Image= "C:\Windows\\cscript.exe)" \| regex CommandLine= "(?`
DS0009	Process: OS API Execution	Monitor calls to the `ZwSetEaFile` and `ZwQueryEaFile` Windows API functions as well as binaries used to interact with EA, and consider regularly scanning for the presence of modified information.

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded.