Abuse of extended attributes (xattrs) to embed hidden payloads into legitimate files. Defender perspective: detect anomalous use of setfattr or getfattr commands, or direct syscalls (setxattr, getxattr) where attributes are unusually large or contain encoded data. Behavior chain includes: (1) execution of setfattr with suspicious namespaces (user., trusted.), (2) file metadata modification inconsistent with file size/hash, and (3) subsequent process execution reading attributes followed by decoding activity.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | auditd:SYSCALL | setxattr or getxattr system call |
| Command Execution (DC0064) | auditd:EXECVE | execution of setfattr or getfattr commands |
| Field | Description |
|---|---|
| XattrNamespaces | Namespaces monitored for suspicious activity (user., trusted., security.). Organizations may tune to reduce noise from benign use. |
| PayloadSizeThreshold | Size of xattr values above which they should be considered anomalous (e.g., >1KB). |
| CorrelationWindow | Time window to correlate xattr modification with process execution from the same file. |
Abuse of extended attributes (xattrs) to hide payloads in com.apple. or custom keys. Defender perspective: monitor suspicious use of xattr command with -w (write) and -p (print) flags, especially when followed by execution of interpreters like bash, Python, or osascript. Behavior chain includes: (1) suspicious file modification with new com.apple. attributes, (2) attribute content inconsistent with expected metadata tags (e.g., high entropy), (3) subsequent process execution correlated with extraction of the attribute.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | xattr utility execution with -w or -p flags |
| File Metadata (DC0059) | macos:unifiedlog | extended attribute write or modification |
| Field | Description |
|---|---|
| WatchedXattrKeys | Specific xattr keys to monitor (e.g., com.apple.quarantine, com.apple.ResourceFork, unknown custom keys). |
| EntropyThreshold | High entropy attribute values may indicate encoded or encrypted payloads. |
| ProcessContext | Expected legitimate applications interacting with xattrs (Finder, Spotlight) to help reduce false positives. |