EXPLORE
Sign In
← Back to Explore
T1564.004

NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Dat...

Windows
31
Detections
4
Sources
1
Threat Actors

BY SOURCE

22sigma3crowdstrike_cql3elastic3splunk_escu

PROCEDURES (16)

Process Creation Monitoring11 detections

Auto-extracted: 11 detections for process creation monitoring

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

THREAT ACTORS (1)

APT32

DETECTIONS (31)

Alternate Data Stream Creation/Execution at Volume Root Directory
elasticmedium
Execute From Alternate Data Streams
sigmamedium
Exports Registry Key To an Alternate Data Stream
sigmahigh
HackTool Named File Stream Created
sigmahigh
Hidden Executable In NTFS Alternate Data Stream
sigmamedium
Hidden Flag Set On File/Directory Via Chflags - MacOS
sigmamedium
Insensitive Subfolder Search Via Findstr.EXE
sigmalow
LOLBin Certutil
crowdstrike_cql
LOLBin Rundll32
crowdstrike_cql
LOLBin WMIC
crowdstrike_cql
NTFS Alternate Data Stream
sigmahigh
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
sigmamedium
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
sigmamedium
Potential Rundll32 Execution With DLL Stored In ADS
sigmahigh
Powershell Store File In Alternate Data Stream
sigmamedium
PrintBrm ZIP Creation of Extraction
sigmahigh
Remote File Download Via Findstr.EXE
sigmamedium
Run PowerShell Script from ADS
sigmahigh
Suspicious Diantz Alternate Data Stream Execution
sigmamedium
Suspicious Extrac32 Alternate Data Stream Execution
sigmamedium
Suspicious File Download From File Sharing Websites - File Stream
sigmahigh
Unusual File Creation - Alternate Data Stream
elastichigh
Unusual File Download from Direct IP Address
sigmahigh
Unusual File Download From File Sharing Websites - File Stream
sigmamedium
Unusual Process Execution Path - Alternate Data Stream
elasticmedium
Use NTFS Short Name in Command Line
sigmamedium
Use NTFS Short Name in Image
sigmamedium
Use Short Name Path in Image
sigmamedium
Windows Alternate DataStream - Base64 Content
splunk_escu
Windows Alternate DataStream - Executable Content
splunk_escu
Windows Alternate DataStream - Process Execution
splunk_escu