Skip to content

DET0406 Detection Strategy for Extended Attributes Abuse

Item Value
ID DET0406
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1564.014 (Extended Attributes)

Analytics

Linux

AN1135

Abuse of extended attributes (xattrs) to embed hidden payloads into legitimate files. Defender perspective: detect anomalous use of setfattr or getfattr commands, or direct syscalls (setxattr, getxattr) where attributes are unusually large or contain encoded data. Behavior chain includes: (1) execution of setfattr with suspicious namespaces (user., trusted.), (2) file metadata modification inconsistent with file size/hash, and (3) subsequent process execution reading attributes followed by decoding activity.

Log Sources
Data Component Name Channel
File Metadata (DC0059) auditd:SYSCALL setxattr or getxattr system call
Command Execution (DC0064) auditd:EXECVE execution of setfattr or getfattr commands
Mutable Elements
Field Description
XattrNamespaces Namespaces monitored for suspicious activity (user., trusted., security.). Organizations may tune to reduce noise from benign use.
PayloadSizeThreshold Size of xattr values above which they should be considered anomalous (e.g., >1KB).
CorrelationWindow Time window to correlate xattr modification with process execution from the same file.

macOS

AN1136

Abuse of extended attributes (xattrs) to hide payloads in com.apple. or custom keys. Defender perspective: monitor suspicious use of xattr command with -w (write) and -p (print) flags, especially when followed by execution of interpreters like bash, Python, or osascript. Behavior chain includes: (1) suspicious file modification with new com.apple. attributes, (2) attribute content inconsistent with expected metadata tags (e.g., high entropy), (3) subsequent process execution correlated with extraction of the attribute.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog xattr utility execution with -w or -p flags
File Metadata (DC0059) macos:unifiedlog extended attribute write or modification
Mutable Elements
Field Description
WatchedXattrKeys Specific xattr keys to monitor (e.g., com.apple.quarantine, com.apple.ResourceFork, unknown custom keys).
EntropyThreshold High entropy attribute values may indicate encoded or encrypted payloads.
ProcessContext Expected legitimate applications interacting with xattrs (Finder, Spotlight) to help reduce false positives.