NTFS Extended Attributes
|NTFS Extended Attributes|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1|
|System Requirements||NTFS partitioned hard drive|
|Data Sources||File monitoring, Kernel drivers|
|Defense Bypassed||Signature-based detection, Anti-virus, Host forensic analysis|
Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.1
The NTFS format has a feature called Extended Attributes (EA), which allows data to be stored as an attribute of a file or folder.2
- The Regin malware platform uses Extended Attributes to store encrypted executables.3
- Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes.4
It may be difficult or inadvisable to block access to EA. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA by using whitelisting5 tools like AppLocker67 or Software Restriction Policies8 where appropriate.9
Forensic techniques exist to identify information stored in EA.1 It may be possible to monitor NTFS for writes or reads to NTFS EA or to regularly scan for the presence of modified information.
- Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.
- Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Ciubotariu, M. (2014, January 23). Trojan.Zeroaccess.C Hidden in NTFS EA. Retrieved December 2, 2014.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.