NTFS File Attributes

Information

• Name: NTFS File Attributes

• ID: T1564.004

• Tactics: TA0005

• Technique: T1564

Introduction

The NTFS File Attributes sub-technique (T1564.004), part of the MITRE ATT&CK framework, involves adversaries manipulating NTFS (New Technology File System) file attributes to conceal malicious activities and evade detection. Attackers exploit features of the NTFS file system, such as hidden files, alternate data streams (ADS), and extended file attributes, to obscure malicious files and processes, making detection and forensic analysis more challenging.

Deep Dive Into Technique

NTFS file attributes manipulation generally includes several different methods and mechanisms:

1. Alternate Data Streams (ADS)

• ADS allows files to contain multiple data streams, effectively embedding hidden data within otherwise benign files.

• Attackers leverage ADS to hide executable payloads, scripts, or malicious commands.

• ADS cannot be easily detected through standard directory listings or common file browsing methods, making it a popular stealth tactic.

2. Hidden and System Attributes

• Attackers can modify standard NTFS file attributes, such as marking files as "hidden" or "system," to evade casual inspection.

• Files marked with hidden or system attributes do not appear in standard directory listings unless explicitly configured to show hidden/system files.

• Malware authors frequently use these attributes to conceal malicious executables or scripts.

3. Extended Attributes and File Timestamps

• Attackers may manipulate NTFS extended attributes or timestamps to evade forensic analysis and detection.

• By altering timestamps, adversaries obscure the actual timeline of their actions, complicating investigation and response efforts.

Technical Execution Methods

Adversaries commonly use built-in Windows utilities or custom scripts to manipulate NTFS attributes:

• Command-line utilities such as:

  • attrib.exe for setting or clearing hidden/system attributes:

    Copy

    attrib +h +s malicious.exe

  • PowerShell commands for managing ADS:

    Copy

    Set-Content -Path innocent.txt -Stream malicious.exe -Value (Get-Content malicious.exe -Raw)

• Custom malware scripts or executables designed specifically to manipulate NTFS attributes and evade detection.

Real-world Procedures

• Attackers embed malicious payloads within ADS of legitimate files, such as text documents or system binaries.

• Malware samples frequently use hidden/system attributes to avoid detection during casual file inspections.

• Advanced persistent threat (APT) groups and ransomware operators commonly leverage NTFS manipulation techniques to maintain persistence and evade detection.

When this Technique is Usually Used

Attackers typically use NTFS file attribute manipulation in various attack scenarios and stages, including:

• Persistence: Embedding malicious payloads within ADS of legitimate files to persistently execute malware without detection.

• Defense Evasion: Hiding malicious executables and scripts by marking them as hidden/system files or embedding them within ADS.

• Lateral Movement: Using hidden files and ADS to transfer malicious payloads across internal networks without triggering security alerts.

• Data Exfiltration: Concealing sensitive or stolen data within ADS for stealthy exfiltration from compromised networks.

How this Technique is Usually Detected

Detection of NTFS file attribute manipulation typically involves a combination of specialized tools, monitoring techniques, and specific Indicators of Compromise (IoCs):

Detection Methods

• File System Monitoring: Regularly monitoring NTFS file systems for unusual attribute changes, hidden/system files, and ADS usage.

• Endpoint Detection and Response (EDR): EDR solutions can identify suspicious file attribute modifications, ADS creation, and timestamp manipulations.

• Behavioral Analysis: Monitoring system behavior for suspicious file creation or modification activities, especially involving ADS or attribute changes.

Tools for Detection

• Sysinternals Streams: Command-line tool from Microsoft to detect and manage ADS:

  Copy

  streams.exe -s -d C:\

• PowerShell Scripts: Custom scripts designed to scan for hidden/system attributes or ADS:

  Copy

  Get-Item -Path C:\ -Stream *

• Endpoint Protection Platforms (EPP): Security solutions that monitor file attribute changes and ADS creation.

Indicators of Compromise (IoCs)

• Suspicious files marked as hidden/system attributes in unusual directories.

• Presence of ADS streams containing executables, scripts, or encrypted data.

• Unusual timestamp alterations on critical system files or logs.

• Increased use of commands like attrib.exe or PowerShell ADS management commands detected by logging or monitoring tools.

Why it is Important to Detect This Technique

Detecting NTFS file attribute manipulation is crucial due to its significant impact on security posture and operational integrity:

• Increased Difficulty of Detection: Malicious files hidden through ADS or attribute manipulation can evade standard antivirus and endpoint protection solutions.

• Persistence and Long-term Compromise: Attackers leverage NTFS manipulation to maintain persistent access without detection, enabling prolonged intrusions and data theft.

• Forensic Challenges: Manipulated file attributes and timestamps complicate digital forensic investigations, hindering incident response and remediation efforts.

• Risk of Data Exfiltration and Loss: Attackers frequently use hidden files or ADS to facilitate stealthy data exfiltration, potentially leading to significant data breaches and financial or reputational damage.

Early detection and response to NTFS file attribute manipulation significantly reduce the risk of prolonged compromise, data exfiltration, and operational disruptions.

Examples

Several real-world examples illustrate attackers using NTFS file attribute manipulation in cyber incidents:

Example 1: APT32 (OceanLotus)

• Attack Scenario:

  • APT32 used ADS to hide malicious payloads within legitimate-looking documents.

  • Attackers embedded malicious executables within ADS of benign files to evade detection during targeted espionage campaigns.

• Tools Used:

  • Custom malware scripts leveraging ADS functionality.

• Impact:

  • Successful evasion of antivirus and endpoint protection solutions.

  • Long-term stealthy persistence within victim environments, enabling espionage and data exfiltration.

Example 2: Ransomware Attacks (Maze, Ryuk)

• Attack Scenario:

  • Ransomware operators frequently employ hidden/system attributes to conceal malicious executables and scripts on compromised systems.

  • Attackers use ADS to store and execute ransomware payloads, avoiding detection by endpoint security solutions.

• Tools Used:

  • Built-in Windows utilities (attrib.exe) and PowerShell scripts.

• Impact:

  • Successful encryption of victim data without early detection.

  • Significant operational disruption, financial loss, and reputational damage to victim organizations.

Example 3: FIN7 Cybercrime Group

• Attack Scenario:

  • FIN7 leveraged ADS to store malicious scripts and payloads within legitimate files during financial cybercrime operations.

  • Attackers manipulated file timestamps to obscure forensic evidence.

• Tools Used:

  • PowerShell scripts and custom malware tools.

• Impact:

  • Successful evasion of detection and forensic analysis.

  • Large-scale financial fraud and theft of sensitive financial information from compromised organizations.