Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1564.004: NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). [1] [3] [4] [5]

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. [6] [4]

EnterpriseT1564.004Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

NTFS File Attributes matters because malicious content can be hidden in Windows file-system metadata such as Alternate Data Streams or Extended Attributes rather than appearing as normal files. For leaders, the risk is not the filesystem feature itself; it is the possibility that malware, tools, or payload data may sit outside the visibility of basic file inventory, static indicator scanning, or some antivirus workflows.

Executive priority

Prioritize this where Windows endpoints or servers are critical to operations, investigations, or compliance evidence. Ask whether security tooling can inspect NTFS metadata, not just visible filenames and hashes, and whether incident response playbooks include checks for hidden artifacts. This is especially relevant for resilience planning because multiple ATT&CK software entries are related to this technique, including ransomware and backdoor families, but local exposure depends on Windows asset coverage and telemetry quality.

Technical view

This is a Windows stealth sub-technique under Hide Artifacts. ATT&CK provides no official detection text, but the relationship to DET0432 indicates a detection strategy exists for NTFS file attribute abuse involving ADS/EAs. SOC and IR teams should validate whether endpoint tooling, forensic collection, and triage procedures can enumerate NTFS file attributes, identify suspicious data streams or extended attributes, and correlate them with process activity, file writes, and execution attempts. Because ADS/EAs can also have legitimate uses, detection should focus on unusual locations, unexpected creators, suspicious parent processes, and artifacts associated with known incident context rather than treating every stream as malicious.

Likely telemetry

  • Windows endpoint file-system telemetry covering file creation, modification, and metadata changes
  • NTFS-aware forensic artifacts, including Master File Table and file attribute inspection where available
  • Endpoint detection and response records for processes writing to or reading from unusual file attributes or streams
  • Command-line and process lineage telemetry associated with file manipulation utilities or suspicious execution chains
  • File integrity monitoring or host-based inventory data that can account for ADS/EAs, not only visible files

Detection direction

  • Validate coverage against DET0432 or an equivalent NTFS ADS/EA detection strategy in the local environment.
  • Confirm scanners and EDR tools inspect NTFS metadata and do not rely only on normal file paths, extensions, or hashes.
  • Tune detections to reduce noise from legitimate NTFS stream usage by considering path, signer, user context, parent process, and recent incident indicators.
  • During investigations, include NTFS attribute enumeration in host triage when malware is suspected but visible payload files are missing.
  • Use related ATT&CK context as prioritization input: this technique is linked to APT32 and multiple Windows malware/software entries, but do not infer current activity without local evidence.

Mitigation priorities

  • Apply least-privilege file and directory permissions as described by M1022, especially limiting unnecessary write access to sensitive directories and system locations.
  • Prioritize Windows endpoint hardening and monitoring on high-value systems where hidden artifacts would complicate recovery or evidence collection.
  • Ensure IR procedures and forensic tooling preserve and review NTFS attributes during collection and analysis.
  • Review whether vulnerability management and compliance evidence processes depend on file inventories that may miss ADS/EAs.
  • Use control validation exercises to confirm that hidden NTFS attribute content is discoverable by defensive tooling without relying on vendor assumptions.
Analyst notes and limits

ATT&CK identifies this as T1564.004, a Windows sub-technique of Hide Artifacts. The supplied relationships show use by one group and multiple software entries, and a mitigation relationship to Restrict File and Directory Permissions. The most important defensive question is whether Windows file-system visibility includes NTFS metadata, because basic file scans may not be sufficient.

MITRE does not provide official detection guidance for this object in the supplied fields. This take is therefore based on the official description, external references, and stated relationships only. Actual detection feasibility, false positives, and risk priority require local endpoint tooling, Windows asset scope, and incident telemetry validation.

Official MITRE ATT&CK definition

NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). [1] [3] [4] [5]

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. [6] [4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1096 NTFS File Attributes NTFS File Attributes revoked by this object.
Enterprise T1564 Hide Artifacts This object subtechnique of Hide Artifacts.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0050: APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

Malware Enterprise

S0019: Regin

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [1]

Windows
Malware Enterprise

S0476: Valak

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.[1][2]

Windows
Tool Enterprise

S0361: Expand

Expand is a Windows utility used to expand one or more compressed CAB files.[1] It has been used by BBSRAT to decompress a CAB file into executable content.[2]

Windows
Malware Enterprise

S0139: PowerDuke

PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [1]

Windows
Malware Enterprise

S1052: DEADEYE

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[1]

Windows
Malware Enterprise

S0145: POWERSOURCE

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [1] [2]

Windows
Malware Enterprise

S1160: Latrodectus

Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.[1][2][3]

Windows
Malware Enterprise

S0570: BitPaymer

BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[1]

Windows
Malware Enterprise

S0373: Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [1][2][3]

Windows
Relationship explorer

All related ATT&CK context

revoked by · Technique T1096: NTFS File Attributes Enterprise detects · Detection Strategy DET0432: Detection Strategy for NTFS File Attribute Abuse (ADS/EAs) Enterprise uses · Malware S0019: Regin Enterprise uses · Group G0050: APT32 Enterprise uses · Malware S0476: Valak Enterprise uses · Malware S0397: LoJax Enterprise uses · Tool S0404: esentutl Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise uses · Tool S0361: Expand Enterprise uses · Malware S0139: PowerDuke Enterprise uses · Malware S1052: DEADEYE Enterprise uses · Malware S0145: POWERSOURCE Enterprise uses · Malware S1160: Latrodectus Enterprise uses · Malware S0612: WastedLocker Enterprise uses · Malware S0570: BitPaymer Enterprise uses · Malware S0373: Astaroth Enterprise uses · Malware S0168: Gazer Enterprise subtechnique of · Technique T1564: Hide Artifacts Enterprise uses · Malware S0027: Zeroaccess Enterprise uses · Malware S0504: Anchor Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
d157527b576bdb20...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle d157527b576b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SpectorOps Host-Based Jul 2017

    Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.

    Open source URL
  2. [2]
    Microsoft NTFS File Attributes Aug 2010

    Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.

    Open source URL
  3. [3]
    Microsoft File Streams

    Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.

    Open source URL
  4. [4]
    MalwareBytes ADS July 2015

    Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.

    Open source URL
  5. [5]
    Microsoft ADS Mar 2014

    Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.

    Open source URL
  6. [6]
    Journey into IR ZeroAccess NTFS EA

    Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.

    Open source URL
  7. [7]
    mitre-attack T1564.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use