MITRE ATT&CK Technique
Defense Evasion
T1564.004
Description
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014) Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)
Supported Platforms
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-13T20:33:00.009Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use NTFS file attributes to hide their '
'malicious data in order to evade detection. Every New '
'Technology File System (NTFS) formatted partition contains a '
'Master File Table (MFT) that maintains a record for every '
'file/directory on the partition. (Citation: SpectorOps '
'Host-Based Jul 2017) Within MFT entries are file attributes, '
'(Citation: Microsoft NTFS File Attributes Aug 2010) such as '
'Extended Attributes (EA) and Data [known as Alternate Data '
'Streams (ADSs) when more than one Data attribute is present], '
'that can be used to store arbitrary data (and even complete '
'files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: '
'Microsoft File Streams) (Citation: MalwareBytes ADS July '
'2015) (Citation: Microsoft ADS Mar 2014)\n'
'\n'
'Adversaries may store malicious data or binaries in file '
'attribute metadata instead of directly in files. This may be '
'done to evade some defenses, such as static indicator '
'scanning tools and anti-virus. (Citation: Journey into IR '
'ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)',
'external_references': [{'external_id': 'T1564.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1564/004'},
{'description': 'Arntz, P. (2015, July 22). '
'Introduction to Alternate Data '
'Streams. Retrieved March 21, 2018.',
'source_name': 'MalwareBytes ADS July 2015',
'url': 'https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/'},
{'description': 'Atkinson, J. (2017, July 18). '
'Host-based Threat Modeling & '
'Indicator Design. Retrieved March '
'21, 2018.',
'source_name': 'SpectorOps Host-Based Jul 2017',
'url': 'https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea'},
{'description': 'Harrell, C. (2012, December 11). '
'Extracting ZeroAccess from NTFS '
'Extended Attributes. Retrieved June '
'3, 2016.',
'source_name': 'Journey into IR ZeroAccess NTFS EA',
'url': 'http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html'},
{'description': 'Hughes, J. (2010, August 25). NTFS '
'File Attributes. Retrieved March 21, '
'2018.',
'source_name': 'Microsoft NTFS File Attributes Aug '
'2010',
'url': 'https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/'},
{'description': 'Marlin, J. (2013, March 24). '
'Alternate Data Streams in NTFS. '
'Retrieved March 21, 2018.',
'source_name': 'Microsoft ADS Mar 2014',
'url': 'https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/'},
{'description': 'Microsoft. (n.d.). File Streams. '
'Retrieved September 12, 2024.',
'source_name': 'Microsoft File Streams',
'url': 'https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams'},
{'description': 'Moe, O. (2018, April 11). Putting '
'Data in Alternate Data Streams and '
'How to Execute It - Part 2. '
'Retrieved June 30, 2018.',
'source_name': 'Oddvar Moe ADS2 Apr 2018',
'url': 'https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/'},
{'description': 'Moe, O. (2018, January 14). Putting '
'Data in Alternate Data Streams and '
'How to Execute It. Retrieved June '
'30, 2018.',
'source_name': 'Oddvar Moe ADS1 Jan 2018',
'url': 'https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/'},
{'description': 'Pravs. (2009, May 25). What you need '
'to know about alternate data streams '
'in windows? Is your Data secure? Can '
'you restore that?. Retrieved March '
'21, 2018.',
'source_name': 'Symantec ADS May 2009',
'url': 'https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore'}],
'id': 'attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:35.944Z',
'name': 'NTFS File Attributes',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Oddvar Moe, @oddvarmoe', 'Red Canary'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}