Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0406: Detection Strategy for Extended Attributes Abuse

DET0406 is a MITRE detection strategy for identifying abuse of extended attributes associated with ATT&CK technique T1564.014. The practical risk is that m...

EnterpriseDET0406Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0406 is a MITRE detection strategy for identifying abuse of extended attributes associated with ATT&CK technique T1564.014. The practical risk is that malicious data can be hidden in file or directory metadata on Linux and macOS where normal user and analyst tools such as file browsers, basic listing, or file-content views may not show it. For leaders, this matters because endpoint visibility that only inspects visible file content can leave a gap in investigations, malware triage, and assurance reporting.

Executive priority

Prioritize this as a coverage-validation question for Linux and macOS estates: can the organization discover suspicious use of extended attributes during detection, incident response, and forensic review? The business decision value is not that every xattr is malicious, but that this is a stealth technique that can undermine SOC confidence, delay containment, and weaken audit evidence if endpoint collection and IR procedures do not account for metadata that standard tools hide.

Technical view

The supplied ATT&CK object has no official detection text or platform list of its own, but it detects T1564.014 Extended Attributes, which is described for Linux and macOS under stealth. SOC and IR teams should validate whether endpoint telemetry, forensic collection, and triage playbooks include extended attribute inspection, not only normal file names, paths, hashes, and content. Detection engineering should focus on unusual or security-relevant xattr presence, changes, or values in locations and files where the organization does not expect them, while accounting for legitimate operating system and application use of xattrs for tagging, integrity checks, and access control.

Likely telemetry

  • macOS and Linux endpoint file metadata collection that includes extended attributes
  • File and directory metadata change events, where available
  • Forensic acquisition output that preserves xattrs
  • Results from approved administrative or forensic utilities capable of inspecting xattrs, such as macOS xattr-style inspection or Linux getfattr-style inspection
  • Endpoint detection logs that record file metadata, not just file content or process execution

Detection direction

  • Validate that visibility exists for extended attributes on Linux and macOS systems in scope; standard file browsing, listing, or content viewing alone is not sufficient based on the related technique description.
  • Tune detections around anomalous xattr use rather than mere presence, because the related technique notes legitimate OS and application uses for tagging, integrity checks, and access control.
  • During investigations of suspected hidden data or defense evasion, require analysts to check whether relevant files or directories have xattrs and whether those attributes are preserved in collected evidence.
  • Compare expected xattr patterns for managed applications and operating system behavior against unusual attributes, unexpected locations, or suspicious changes.
  • Document blind spots where EDR, SIEM, backup, or forensic pipelines drop xattr metadata, as this can create false assurance during incident review.

Mitigation priorities

  • Establish an asset and telemetry baseline for Linux and macOS systems where extended attributes are relevant.
  • Update IR and forensic playbooks so collection and triage preserve and inspect extended attributes when investigating stealth or hidden-data behavior.
  • Ensure endpoint monitoring and evidence collection can capture file metadata needed to review xattrs, not only standard file content and paths.
  • Define approved administrative uses of xattrs and expected application behavior to support practical alert tuning.
  • Use control validation exercises to prove that suspicious xattr abuse would be visible to the SOC and recoverable in incident evidence.
Analyst notes and limits

This take is relationship-driven. The detection strategy object itself provides no official description, detection text, tactics, or platforms. The actionable context comes from its ATT&CK relationship to T1564.014 Extended Attributes, which identifies Linux and macOS and explains that xattrs may hide data from standard tools while also having legitimate operating system and application uses.

No active exploitation, attribution, prevalence, vendor coverage, or guaranteed detection can be concluded from the supplied fields. Local endpoint configuration, EDR capabilities, forensic tooling, and normal xattr usage patterns are required to determine actual coverage and alert quality.

Official MITRE ATT&CK definition

Detection Strategy for Extended Attributes Abuse

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564.014 Extended Attributes Sub-technique This object detects Extended Attributes.
Relationship explorer

All related ATT&CK context

detects · Technique T1564.014: Extended Attributes Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5e1753414e0e05af...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5e1753414e0e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0406
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use