Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1096: NTFS File Attributes

Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). [1] [3] [4] [5]

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. [6] [4]

EnterpriseT1096TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Historical object

This ATT&CK object is revoked or deprecated in the current MITRE ATT&CK release.

It remains available for historical context and inbound links. Use current ATT&CK relationships and replacement guidance before basing detection or reporting work on this page.

Glexia's Take

Analyst summary pending validation

Glexia publishes ATT&CK takes only after source-hash and schema validation. Until then, use the official MITRE definition below and the defensive relationship context on this page.

Official MITRE ATT&CK definition

NTFS File Attributes

Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). [1] [3] [4] [5]

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. [6] [4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564.004 NTFS File Attributes Sub-technique This object revoked by NTFS File Attributes.
Relationship explorer

All related ATT&CK context

revoked by · Technique T1564.004: NTFS File Attributes Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
ee1517514d9871fb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle Revoked ee1517514d98…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SpectorOps Host-Based Jul 2017

    Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.

    Open source URL
  2. [2]
    Microsoft NTFS File Attributes Aug 2010

    Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.

    Open source URL
  3. [3]
    Microsoft File Streams

    Microsoft. (n.d.). File Streams. Retrieved December 2, 2014.

    Open source URL
  4. [4]
    MalwareBytes ADS July 2015

    Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.

    Open source URL
  5. [5]
    Microsoft ADS Mar 2014

    Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.

    Open source URL
  6. [6]
    Journey into IR ZeroAccess NTFS EA

    Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.

    Open source URL
  7. [7]
    Oddvar Moe ADS1 Jan 2018

    Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018.

    Open source URL
  8. [8]
    Oddvar Moe ADS2 Apr 2018

    Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018.

    Open source URL
  9. [9]
    Symantec ADS May 2009

    Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018.

    Open source URL
  10. [10]
    mitre-attack T1096
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use