NTFS Extended Attributes

From enterprise

Jump to: navigation, search

NTFS Extended Attributes
Technique
ID	T1096
Tactic	Defense Evasion
Platform	Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
System Requirements	NTFS partitioned hard drive
Data Sources	File monitoring, Kernel drivers
Defense Bypassed	Signature-based detection, Anti-virus, Host forensic analysis

Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.1

The NTFS format has a feature called Extended Attributes (EA), which allows data to be stored as an attribute of a file or folder.2

1 Examples
2 Mitigation
3 Detection
4 References

Examples

The Regin malware platform uses Extended Attributes to store encrypted executables.3
Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes.4

Mitigation

It may be difficult or inadvisable to block access to EA. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA by using whitelisting5 tools like AppLocker67 or Software Restriction Policies8 where appropriate.9

Detection

Forensic techniques exist to identify information stored in EA.1 It may be possible to monitor NTFS for writes or reads to NTFS EA or to regularly scan for the presence of modified information.

References

v · d · e Adversary Techniques

Persistence	.bash_profile and .bashrc Accessibility Features AppInit DLLs Application Shimming Authentication Package Bootkit Change Default File Association Component Firmware Component Object Model Hijacking Cron Job DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hypervisor LC_LOAD_DYLIB Addition Launch Agent Launch Daemon Launchctl Local Port Monitor Login Item Logon Scripts Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Rc.common Re-opened Applications Redundant Access Registry Run Keys / Start Folder Scheduled Task Security Support Provider Service Registry Permissions Weakness Shortcut Modification Startup Items System Firmware Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL

Privilege Escalation	Access Token Manipulation Accessibility Features AppInit DLLs Application Shimming Bypass User Account Control DLL Injection DLL Search Order Hijacking Dylib Hijacking Exploitation of Vulnerability File System Permissions Weakness Launch Daemon Local Port Monitor New Service Path Interception Plist Modification Scheduled Task Service Registry Permissions Weakness Setuid and Setgid Startup Items Sudo Valid Accounts Web Shell

Credential Access	Account Manipulation Bash History Brute Force Create Account Credential Dumping Credentials in Files Exploitation of Vulnerability Input Capture Input Prompt Keychain Network Sniffing Private Keys Securityd Memory Two-Factor Authentication Interception

Discovery	Account Discovery Application Window Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery

Defense Evasion	Access Token Manipulation Binary Padding Bypass User Account Control Clear Command History Code Signing Component Firmware Component Object Model Hijacking DLL Injection DLL Search Order Hijacking DLL Side-Loading Deobfuscate/Decode Files or Information Disabling Security Tools Exploitation of Vulnerability File Deletion File System Logical Offsets Gatekeeper Bypass HISTCONTROL Hidden Files and Directories Hidden Users Hidden Window Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Install Root Certificate InstallUtil LC_MAIN Hijacking Launchctl Masquerading Modify Registry NTFS Extended Attributes Network Share Connection Removal Obfuscated Files or Information Plist Modification Process Hollowing Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Software Packing Space after Filename Timestomp Trusted Developer Utilities Valid Accounts

Lateral Movement	AppleScript Application Deployment Software Exploitation of Vulnerability Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management

Execution	AppleScript Application Shimming Command-Line Interface Execution through API Execution through Module Load Graphical User Interface InstallUtil Launchctl PowerShell Process Hollowing Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities Windows Management Instrumentation Windows Remote Management

Collection	Audio Capture Automated Collection Clipboard Data Data Staged Data from Local System Data from Network Shared Drive Data from Removable Media Email Collection Input Capture Screen Capture Video Capture

Exfiltration	Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer

Command and Control	Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Fallback Channels Multi-Stage Channels Multiband Communication Multilayer Encryption Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service

Retrieved from "https://attack.mitre.org/w/index.php?title=Technique/T1096&oldid=219"

Categories:

NTFS Extended Attributes

Contents

Examples

Mitigation

Detection

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tactics

Techniques

Groups

Software

Tools