NTFS Extended Attributes

From enterprise
Jump to: navigation, search
NTFS Extended Attributes
ID T1096
Tactic Defense Evasion
Platform Windows
System Requirements NTFS partitioned hard drive
Data Sources File monitoring, Kernel drivers
Defense Bypassed Signature-based detection, Anti-virus, Host forensic analysis

Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.1

The NTFS format has a feature called Extended Attributes (EA), which allows data to be stored as an attribute of a file or folder.2


  • The Regin malware platform uses Extended Attributes to store encrypted executables.3
  • Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes.4


It may be difficult or inadvisable to block access to EA. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA by using whitelisting5 tools like AppLocker67 or Software Restriction Policies8 where appropriate.9


Forensic techniques exist to identify information stored in EA.1 It may be possible to monitor NTFS for writes or reads to NTFS EA or to regularly scan for the presence of modified information.