Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1206: Analytic 1206

Suspicious use of NTFS file attributes such as Alternate Data Streams (ADS) or Extended Attributes (EA) to hide data. Defender perspective: anomalous file creations or modifications containing colon syntax (file.ext:ads), API calls like ZwSetEaFile/ZwQueryEaFile, or PowerShell/Windows utilities interacting with -stream parameters. Correlation across file metadata anomalies, process lineage, and command execution provides context.

EnterpriseAN1206AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because hidden data in NTFS file attributes can let suspicious activity sit in places many file inventories, backup reviews, and basic endpoint checks do not inspect. For security leaders, the practical question is not just whether Windows endpoints are monitored, but whether file metadata, process lineage, and command execution are correlated well enough to expose unusual use of Alternate Data Streams or Extended Attributes.

Executive priority

Prioritize this as a Windows endpoint visibility and incident-readiness issue. It can affect confidence in investigations, audit evidence, and containment decisions because ordinary file listings may not show all data associated with a file. Leaders should ask whether SOC tooling and IR procedures can identify anomalous NTFS attribute use, preserve that evidence, and explain whether activity is benign administrative behavior or suspicious concealment.

Technical view

For SOC and detection teams, validate coverage for anomalous file creations or modifications using colon syntax such as file.ext:ads, API activity involving ZwSetEaFile or ZwQueryEaFile, and PowerShell or Windows utility usage involving stream-related parameters. Because the ATT&CK object provides no separate official detection logic and no relationship context, treat this as a detection validation requirement: correlate file metadata anomalies with parent/child process lineage and command execution on Windows systems.

Likely telemetry

  • Windows file creation and modification metadata, including NTFS Alternate Data Stream indicators
  • Command-line telemetry from PowerShell and Windows utilities, especially stream-related parameters
  • Process creation and parent/child process lineage
  • Endpoint telemetry or EDR events exposing API usage such as ZwSetEaFile and ZwQueryEaFile
  • File metadata or forensic collection capable of preserving Extended Attributes and ADS evidence

Detection direction

  • Confirm whether current endpoint telemetry records ADS-style colon syntax and Extended Attribute activity rather than only standard file paths.
  • Correlate suspicious file attribute activity with process lineage and command execution to reduce false positives from legitimate administrative, backup, or security tooling.
  • Tune detections around unusual stream creation or modification patterns, unexpected processes using stream-related parameters, and file metadata anomalies in sensitive directories.
  • Validate investigation workflows: analysts should be able to pivot from a suspicious stream or attribute to the responsible process, command line, user context, and surrounding file events.
  • Document blind spots where file collection, logging, or EDR normalization strips or hides NTFS stream and extended attribute details.

Mitigation priorities

  • Improve Windows endpoint visibility before relying on detection: ensure file metadata, command execution, and process lineage are collected and retained.
  • Update incident response playbooks to include checks for NTFS Alternate Data Streams and Extended Attributes when suspicious files are investigated.
  • Restrict and monitor administrative or scripting activity where business need is limited, especially PowerShell or utilities interacting with stream parameters.
  • Use detection engineering tests to verify that ADS and EA activity is visible in SOC tooling and not lost during log parsing or enrichment.
  • Where compliance evidence is required, document collection scope and known limitations for NTFS metadata so audit claims do not overstate file monitoring coverage.
Analyst notes and limits

This object is a detection analytic, not a technique entry, and it has no supplied tactic or relationship context. The strongest use is as a validation prompt for Windows endpoint telemetry and IR procedures around NTFS metadata abuse. Local baselining is important because legitimate software may use alternate streams or extended attributes.

The supplied ATT&CK fields do not include official detection logic, related techniques, mitigations, groups, software, campaigns, or examples. No active exploitation, attribution, impact, or environment-specific exposure should be inferred from this object alone.

Official MITRE ATT&CK definition

Analytic 1206

Suspicious use of NTFS file attributes such as Alternate Data Streams (ADS) or Extended Attributes (EA) to hide data. Defender perspective: anomalous file creations or modifications containing colon syntax (file.ext:ads), API calls like ZwSetEaFile/ZwQueryEaFile, or PowerShell/Windows utilities interacting with -stream parameters. Correlation across file metadata anomalies, process lineage, and command execution provides context.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3fd052c40f147e3e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3fd052c40f14…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1206
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use