NTFS Extended Attributes

From enterprise
Jump to: navigation, search
NTFS Extended Attributes
Technique
ID T1096
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
System Requirements NTFS partitioned hard drive
Data Sources File monitoring, Kernel drivers
Defense Bypassed Signature-based detection, Anti-virus, Host forensic analysis

Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.1

The NTFS format has a feature called Extended Attributes (EA), which allows data to be stored as an attribute of a file or folder.2

Examples

  • The Regin malware platform uses Extended Attributes to store encrypted executables.3
  • Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes.4

Mitigation

It may be difficult or inadvisable to block access to EA. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA by using whitelisting5 tools like AppLocker67 or Software Restriction Policies8 where appropriate.9

Detection

Forensic techniques exist to identify information stored in EA.1 It may be possible to monitor NTFS for writes or reads to NTFS EA or to regularly scan for the presence of modified information.