Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0432: Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)

This detection strategy is about finding abuse of NTFS file attributes, including Alternate Data Streams and Extended Attributes, used to hide data on Wind...

EnterpriseDET0432Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about finding abuse of NTFS file attributes, including Alternate Data Streams and Extended Attributes, used to hide data on Windows file systems. The business value is not just “detect hidden files”; it is validating whether endpoint monitoring and incident response processes can see data stored in places that normal file listings, user review, or basic collection methods may miss.

Executive priority

Prioritize this as a Windows stealth and resilience question: can the organization prove it can identify suspicious data hidden in NTFS metadata and respond before it undermines investigations or control assurance? Leaders should ask whether SOC tooling, endpoint logging, forensic collection, and IR playbooks explicitly account for NTFS attributes, because gaps can weaken malware triage, evidence preservation, and audit confidence.

Technical view

The supplied ATT&CK object has no official detection text, but it detects T1564.004, NTFS File Attributes, under the stealth tactic on Windows. SOC and IR teams should validate visibility into NTFS-specific artifacts such as Alternate Data Streams, Extended Attributes, and Master File Table-related evidence where available. Detection engineering should focus on whether file creation, modification, scanning, and forensic collection workflows preserve and expose ADS/EA indicators rather than flattening or ignoring them.

Likely telemetry

  • Windows endpoint file system activity telemetry
  • Endpoint detection and response file create/modify events
  • Forensic collection output that preserves NTFS metadata
  • File inventory or integrity monitoring data that includes NTFS alternate streams or extended attributes
  • Malware triage or sandbox results that report ADS/EA usage

Detection direction

  • Confirm whether existing endpoint and forensic tools enumerate NTFS Alternate Data Streams and Extended Attributes rather than only standard file paths.
  • Test alert logic against benign administrative or application use of NTFS attributes to understand false positives before escalating broadly.
  • Review whether file transfer, backup, archive, and evidence collection processes preserve or discard ADS/EA data, as this can create investigation blind spots.
  • Correlate NTFS attribute findings with surrounding process, user, and file activity; the relationship context supports stealth behavior, but attribute presence alone may not be malicious.
  • Document detection assumptions clearly because the official detection strategy object does not provide a specific analytic, data source, or platform field.

Mitigation priorities

  • Ensure Windows endpoint and forensic tooling can inspect NTFS file attributes, especially ADS and EAs, where this risk is relevant.
  • Update incident response playbooks to include NTFS metadata review during suspicious file, persistence, or evasion investigations.
  • Use security configuration, endpoint controls, and malware scanning capabilities that do not ignore alternate streams or extended attributes.
  • Train SOC and IR analysts on the investigative significance of NTFS attributes so hidden data is not missed during triage.
  • Maintain compliance evidence showing that file-system monitoring and forensic procedures account for NTFS-specific hiding locations when Windows systems are in scope.
Analyst notes and limits

The value of DET0432 is primarily relationship-driven: it is a detection strategy for T1564.004, NTFS File Attributes. Because the ATT&CK object does not include official description or detection guidance, local validation should determine which tools actually expose ADS/EA evidence and how often legitimate software uses these features in the environment.

The supplied detection strategy has no official description, detection text, tactics, or platforms. Windows relevance comes from the related T1564.004 technique, not from DET0432’s own platform field. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564.004 NTFS File Attributes Sub-technique This object detects NTFS File Attributes.
Relationship explorer

All related ATT&CK context

detects · Technique T1564.004: NTFS File Attributes Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
27e5c20b13787f45...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 27e5c20b1378…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0432
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use