Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1135: Analytic 1135

Abuse of extended attributes (xattrs) to embed hidden payloads into legitimate files. Defender perspective: detect anomalous use of setfattr or getfattr commands, or direct syscalls (setxattr, getxattr) where attributes are unusually large or contain encoded data. Behavior chain includes: (1) execution of setfattr with suspicious namespaces (user., trusted.), (2) file metadata modification inconsistent with file size/hash, and (3) subsequent process execution reading attributes followed by decoding activity.

EnterpriseAN1135AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Linux extended attributes can hide data inside otherwise legitimate-looking files, creating a blind spot for teams that focus only on file names, sizes, hashes, or normal content scans. For leaders, the decision point is whether Linux monitoring can see suspicious metadata abuse, not just suspicious binaries.

Executive priority

Prioritize validation where Linux systems support critical services, regulated workloads, or incident response evidence collection. The business risk is that hidden payload storage in file metadata may delay detection, complicate forensic scoping, and weaken audit confidence if endpoint, file integrity, or logging programs do not capture extended attribute activity.

Technical view

For SOC and detection engineering teams, validate visibility into anomalous use of setfattr and getfattr, as well as direct setxattr and getxattr syscall activity on Linux. Focus on unusually large attributes, encoded-looking attribute values, suspicious namespaces such as user. or trusted., metadata changes that do not align with normal file size or hash changes, and process behavior where attributes are read and then followed by decoding activity. No ATT&CK tactic mapping or relationship context was supplied, so detection logic should be tested against local Linux administration and application baselines.

Likely telemetry

  • Linux process execution telemetry for setfattr and getfattr
  • Linux syscall or endpoint telemetry for setxattr and getxattr
  • File metadata and extended attribute collection where available
  • File integrity monitoring that can account for metadata changes, not only content hash changes
  • Process lineage showing attribute reads followed by decoding or transformation activity

Detection direction

  • Confirm whether current Linux EDR, audit, or file monitoring tools record extended attribute operations and attribute sizes.
  • Tune detections for anomalously large or encoded-looking xattr values rather than alerting on all xattr use, which may be legitimate.
  • Baseline normal use of user. and trusted. namespaces across Linux servers and applications before escalating broadly.
  • Correlate metadata modification, attribute reads, and subsequent decoding behavior to reduce false positives.
  • Review forensic procedures to ensure responders know whether xattrs are collected during triage and evidence preservation.

Mitigation priorities

  • Inventory critical Linux systems where extended attributes are used by normal applications or administration workflows.
  • Enable or improve logging for relevant process, syscall, and file metadata activity where supported.
  • Update file integrity and incident response collection practices to include extended attributes where feasible.
  • Apply least privilege and administrative control review around accounts or processes capable of modifying trusted or sensitive metadata namespaces.
  • Use detection testing to verify that hidden metadata changes are visible to SOC workflows before relying on the control for assurance.
Analyst notes and limits

The supplied object is a detection analytic for Linux behavior involving abuse of extended attributes to embed hidden payloads in legitimate files. The strongest defensive value is in validating metadata visibility and forensic completeness, especially where standard file hash or size monitoring may miss suspicious xattr changes.

Official detection content was not provided, and no ATT&CK tactics, techniques, relationships, threat groups, campaigns, or active exploitation context were supplied. Local Linux telemetry, application behavior, and administrative baselines are required to determine practical detection fidelity.

Official MITRE ATT&CK definition

Analytic 1135

Abuse of extended attributes (xattrs) to embed hidden payloads into legitimate files. Defender perspective: detect anomalous use of setfattr or getfattr commands, or direct syscalls (setxattr, getxattr) where attributes are unusually large or contain encoded data. Behavior chain includes: (1) execution of setfattr with suspicious namespaces (user., trusted.), (2) file metadata modification inconsistent with file size/hash, and (3) subsequent process execution reading attributes followed by decoding activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
eb1daac8d28aecca...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle eb1daac8d28a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1135
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use