T1564.014

Extended Attributes

Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide malicious data and evade detection. Extended attributes are key-value pairs of metadata attached to files and directories that are invisible to standard tools like ls, cat, and Finder. They require dedicated utilities — xattr on macOS, or getfattr/setfattr on Linux — for inspection. An adversary embeds a Base64-encoded second-stage payload into an xattr of a legitimate file (using xattr -w on macOS or setfattr on Linux), then a loader script retrieves the attribute value, decodes it, and pipes it to a scripting interpreter (bash, python, etc.) for execution. Because the primary file content and cryptographic hash remain unchanged, file integrity monitoring and hash-based detection will not flag the carrier file. This technique has been observed in Lazarus Group (APT38) campaigns where custom xattr names mimicking system attributes were used to store encrypted shellcode.

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceOSPlatform in~ ("macOS", "Linux")
| where (
    // macOS: xattr write (embedding payload)
    (FileName =~ "xattr" and ProcessCommandLine has_any ("-w ", "--set ", "-wx ")) or
    // Linux: setfattr (embedding payload into user. namespace)
    (FileName =~ "setfattr" and ProcessCommandLine has "-n ") or
    // Linux: getfattr extraction — especially --only-values used by loaders
    (FileName =~ "getfattr" and ProcessCommandLine has_any ("--only-values", "-e ")) or
    // macOS: xattr read (retrieving payload)
    (FileName =~ "xattr" and ProcessCommandLine has_any ("-p ", "--print ")) or
    // Shell/interpreter invoked with parent chain showing xattr read
    (FileName in~ ("bash", "sh", "zsh", "python", "python3", "perl", "ruby") and
     InitiatingProcessFileName in~ ("xattr", "getfattr", "bash", "sh", "zsh") and
     InitiatingProcessCommandLine has_any ("xattr -p", "getfattr --only-values", "base64 -d", "base64 --decode"))
)
// Enrich with suspicious indicators
| extend HasBase64Pattern = ProcessCommandLine has_any ("base64", "base64 -d", "--decode", "frombase64", "b64decode")
| extend HasExecutionPipe = ProcessCommandLine has_any ("|bash", "| bash", "|sh", "| sh", "|python", "| python", "|perl", "| perl", "exec(", "eval(")
| extend WritingAttribute = (FileName in~ ("xattr", "setfattr")) and ProcessCommandLine has_any ("-w ", "--set ", "-n ")
| extend ReadingAttribute = (FileName =~ "xattr" and ProcessCommandLine has_any ("-p ", "--print ")) or (FileName =~ "getfattr" and ProcessCommandLine has "--only-values")
| extend NonStandardNamespace = ProcessCommandLine has_any ("user.", "trusted.", "security.") and not ProcessCommandLine has_any ("com.apple.quarantine", "com.apple.metadata", "com.apple.FinderInfo", "com.apple.lastuseddate", "com.apple.ResourceFork")
| extend SuspicionScore = toint(HasBase64Pattern) + toint(HasExecutionPipe) + toint(NonStandardNamespace) + toint(WritingAttribute) + toint(ReadingAttribute)
| project Timestamp, DeviceName, DeviceOSPlatform, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         WritingAttribute, ReadingAttribute, HasBase64Pattern, HasExecutionPipe, NonStandardNamespace, SuspicionScore
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (macOS agent) Microsoft Defender for Endpoint (Linux agent)

Required Tables

DeviceProcessEvents

False Positives

macOS Gatekeeper and Spotlight legitimately use com.apple.quarantine, com.apple.metadata:*, and com.apple.FinderInfo attributes — excluded by the NonStandardNamespace filter
Backup and archiving tools (rsync --xattrs, tar --xattrs, macOS Time Machine) regularly read and write extended attributes during scheduled backup operations
File tagging applications and Digital Asset Management (DAM) software write custom xattrs for organizational metadata and workflow state
Container runtimes (Docker overlay2, Podman) and package managers use trusted. namespace attributes on Linux for filesystem layer tracking
Security baseline scanning tools (AIDE, Tripwire) reading all file metadata including xattrs during scheduled integrity baseline runs

Splunk

spl

index=linux sourcetype="linux:audit"
| eval cmd_lower=lower(proctitle)
| where (comm="xattr" OR comm="setfattr" OR comm="getfattr"
    OR match(cmd_lower, "(setfattr|getfattr|xattr\s+-[wpn])"))
| eval WritingAttribute=if(match(cmd_lower, "(setfattr|xattr\s+-w\s|xattr\s+--set\s)"), 1, 0)
| eval ReadingAttribute=if(match(cmd_lower, "(getfattr\s+--only-values|xattr\s+-p\s|xattr\s+--print\s)"), 1, 0)
| eval HasBase64Pattern=if(match(cmd_lower, "(base64|frombase64|b64decode|b64encode)"), 1, 0)
| eval HasExecutionPipe=if(match(cmd_lower, "(\|bash|\|\s*bash|\|sh|\|\s*sh|\|python|\|\s*python|\|perl|exec\(|eval\()"), 1, 0)
| eval NonStandardNamespace=if(match(cmd_lower, "(user\.|trusted\.|security\.)") AND NOT match(cmd_lower, "(com\.apple\.quarantine|com\.apple\.metadata|com\.apple\.finderinfo)"), 1, 0)
| eval SuspicionScore=WritingAttribute + ReadingAttribute + HasBase64Pattern + HasExecutionPipe + NonStandardNamespace
| where SuspicionScore > 0
| table _time, host, uid, auid, comm, exe, proctitle, WritingAttribute, ReadingAttribute, HasBase64Pattern, HasExecutionPipe, NonStandardNamespace, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Linux Audit Daemon (auditd)

Required Sourcetypes

linux:audit

False Positives

Backup daemons (rsync --xattrs, tar --xattrs, Bacula, Amanda) running as service accounts during scheduled maintenance windows
Package managers (apt, yum, rpm) and container runtimes accessing trusted. namespace attributes during installation and overlay filesystem operations
Security baseline tools (AIDE, Tripwire, auditd itself) enumerating file attributes during scheduled integrity scans
Developer build systems (Make, CMake, Gradle) and CI/CD runners using xattrs for build artifact tagging or cache metadata
File manager applications and desktop environments writing user. namespace attributes for bookmark, tag, or thumbnail cache metadata

Elastic Security (EQL)

eql

sequence by host.id, process.parent.entity_id with maxspan=30s
  [
    process where event.type == "start" and
    (
      (process.name == "xattr" and process.args : ("-w", "--set", "-wx", "-p", "--print")) or
      (process.name == "setfattr" and process.args : "-n") or
      (process.name == "getfattr" and process.args : ("--only-values", "-e"))
    )
  ] by process.entity_id
  [
    process where event.type == "start" and
    process.name in ("bash", "sh", "zsh", "python", "python3", "perl", "ruby") and
    process.parent.name in ("xattr", "getfattr", "bash", "sh", "zsh") and
    (
      process.parent.args : ("xattr -p", "getfattr --only-values") or
      process.command_line : ("*base64 -d*", "*base64 --decode*", "*|bash*", "| bash*", "*|sh*", "*|python*", "*eval(*", "*exec(*")
    )
  ] by process.parent.entity_id

// Standalone xattr/setfattr/getfattr with suspicious indicators
any where event.category == "process" and event.type == "start" and
(
  (
    process.name in ("xattr", "setfattr", "getfattr") and
    (
      process.command_line : ("*base64*", "*|bash*", "*| bash*", "*|sh*", "*|python*", "*eval(*") or
      (
        process.command_line : ("*user.*", "*trusted.*", "*security.*") and
        not process.command_line : ("*com.apple.quarantine*", "*com.apple.metadata*", "*com.apple.FinderInfo*", "*com.apple.lastuseddate*", "*com.apple.ResourceFork*")
      )
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Auditd (Linux) macOS Endpoint Security Framework

Required Tables

logs-endpoint.events.process-* auditbeat-* filebeat-*

False Positives

macOS system processes and installers that legitimately set com.apple.quarantine or com.apple.metadata xattrs on downloaded files during normal software installation workflows
Security scanning tools (e.g., osquery, Tanium) that use getfattr/xattr to enumerate extended attributes for inventory or compliance auditing purposes
Developer workflows using setfattr/xattr to store build metadata, code signing attributes, or custom application state on project files in CI/CD pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  QIDNAME(qid) AS event_name,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(setfattr|xattr\s+-w\s|xattr\s+--set\s)' THEN 1
    ELSE 0
  END AS WritingAttribute,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(getfattr\s+--only-values|xattr\s+-p\s|xattr\s+--print\s)' THEN 1
    ELSE 0
  END AS ReadingAttribute,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(base64|frombase64|b64decode)' THEN 1
    ELSE 0
  END AS HasBase64Pattern,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(\|bash|\|\s*bash|\|sh|\|\s*sh|\|python|exec\(|eval\()' THEN 1
    ELSE 0
  END AS HasExecutionPipe,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(user\.|trusted\.|security\.)'
     AND NOT LOWER("CommandLine") MATCHES '(com\.apple\.quarantine|com\.apple\.metadata|com\.apple\.finderinfo)' THEN 1
    ELSE 0
  END AS NonStandardNamespace
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Apple Mac OS X')
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Image") MATCHES '.*(xattr|setfattr|getfattr).*'
    OR (
      LOWER("Image") MATCHES '.*(bash|sh|zsh|python|python3|perl|ruby).*'
      AND LOWER("ParentImage") MATCHES '.*(xattr|getfattr|bash|sh|zsh).*'
      AND LOWER("ParentCommandLine") MATCHES '.*(xattr\s+-p|getfattr\s+--only-values|base64\s+-d|base64\s+--decode).*'
    )
  )
  AND (
    LOWER("CommandLine") MATCHES '.*(setfattr|getfattr|xattr\s+-[wpn]).*'
    OR LOWER("CommandLine") MATCHES '.*(base64|frombase64|b64decode).*'
    OR LOWER("CommandLine") MATCHES '.(\|bash|\|sh|\|python|exec\(|eval\().*'
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Linux OS DSM (auditd/syslog) QRadar Apple Mac OS X DSM Sysmon for Linux via QRadar Universal DSM

Required Tables

events

False Positives

Package managers (brew, apt, yum) that read and write extended attributes during software installation, particularly com.apple.quarantine manipulation on macOS when clearing quarantine flags post-download
Backup and archiving tools (rsync, tar with xattr support, Carbon Copy Cloner) that preserve extended attributes as part of filesystem backup operations
Container orchestration runtimes (Docker, containerd) that use setfattr to manage overlay filesystem attributes, SELinux labels (security.selinux), or POSIX access control lists

Sumo Logic CSE

sql

(_sourceCategory="linux/audit" OR _sourceCategory="macos/endpoint" OR _sourceCategory="os/linux" OR _sourceCategory="crowdstrike/fdr")
| where !(isNull(proctitle) or proctitle="")
| toLowerCase(proctitle) as cmd_lower
| where (
    (comm = "xattr" or comm = "setfattr" or comm = "getfattr")
    or matches(cmd_lower, ".*(setfattr|getfattr|xattr\s+-[wpn]).*")
    or (
      matches(cmd_lower, ".*(bash|sh|zsh|python|python3|perl|ruby).*")
      and matches(parent_process, ".*(xattr|getfattr).*")
      and matches(parent_cmdline, ".*(xattr -p|getfattr --only-values|base64 -d|base64 --decode).*")
    )
  )
| if(matches(cmd_lower, ".*(setfattr|xattr\s+-w\s|xattr\s+--set\s).*"), 1, 0) as WritingAttribute
| if(matches(cmd_lower, ".*(getfattr\s+--only-values|xattr\s+-p\s|xattr\s+--print\s).*"), 1, 0) as ReadingAttribute
| if(matches(cmd_lower, ".*(base64|frombase64|b64decode|b64encode).*"), 1, 0) as HasBase64Pattern
| if(matches(cmd_lower, ".(\\|bash|\\|\\s*bash|\\|sh|\\|\\s*sh|\\|python|exec\\(|eval\\().*"), 1, 0) as HasExecutionPipe
| if(
    matches(cmd_lower, ".*(user\\.|trusted\\.|security\\.).*")
    and !matches(cmd_lower, ".*(com\\.apple\\.quarantine|com\\.apple\\.metadata|com\\.apple\\.finderinfo|com\\.apple\\.lastuseddate|com\\.apple\\.resourcefork).*"),
    1, 0
  ) as NonStandardNamespace
| WritingAttribute + ReadingAttribute + HasBase64Pattern + HasExecutionPipe + NonStandardNamespace as SuspicionScore
| where SuspicionScore > 0
| fields _messagetime, host, uid, auid, comm, exe, proctitle, parent_process, parent_cmdline, WritingAttribute, ReadingAttribute, HasBase64Pattern, HasExecutionPipe, NonStandardNamespace, SuspicionScore
| sort by _messagetime desc

high severity medium confidence

Data Sources

Linux Audit Daemon (auditd) logs macOS Unified Logging / Endpoint Security CrowdStrike FDR via Sumo Logic S3 ingestion Syslog process execution events

Required Tables

_sourceCategory=linux/audit _sourceCategory=macos/endpoint _sourceCategory=crowdstrike/fdr

False Positives

macOS Gatekeeper and Quarantine workflows where security software legitimately calls xattr -d com.apple.quarantine after validating downloaded applications — adjust the NonStandardNamespace filter to suppress known quarantine management processes
Extended attribute-aware backup solutions (Veeam, Acronis, Time Machine internals) that iterate over all file xattrs to preserve filesystem metadata, generating high volumes of getfattr/xattr read events
SELinux and AppArmor policy enforcement processes on Linux that use setfattr to apply or restore security.selinux labels during policy reload or file relabeling operations

Google Chronicle / SecOps

yaral

rule t1564_014_extended_attribute_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Extended Attribute (xattr/setfattr/getfattr) abuse for payload staging and execution evasion on macOS and Linux (T1564.014)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.014"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1564/014/"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmdline

    (
      // macOS: xattr write — embedding payload
      (
        re.regex($e.target.process.file.full_path, `/xattr$`) and
        re.regex($e.target.process.command_line, `\s(-w|--set|-wx)\s`)
      ) or
      // Linux: setfattr — writing user-namespace attributes
      (
        re.regex($e.target.process.file.full_path, `/setfattr$`) and
        re.regex($e.target.process.command_line, `\s-n\s`)
      ) or
      // Linux: getfattr extraction with raw value output
      (
        re.regex($e.target.process.file.full_path, `/getfattr$`) and
        re.regex($e.target.process.command_line, `(--only-values|-e\s)`)
      ) or
      // macOS: xattr read — retrieving stored payload
      (
        re.regex($e.target.process.file.full_path, `/xattr$`) and
        re.regex($e.target.process.command_line, `\s(-p|--print)\s`)
      ) or
      // Interpreter spawned from xattr/getfattr parent chain with decode/exec patterns
      (
        re.regex($e.target.process.file.full_path, `/(bash|sh|zsh|python3?|perl|ruby)$`) and
        re.regex($e.target.process.parent_process.file.full_path, `/(xattr|getfattr|bash|sh|zsh)$`) and
        (
          re.regex($e.target.process.parent_process.command_line, `(xattr\s+-p|getfattr\s+--only-values)`) or
          re.regex($e.target.process.command_line, `(base64\s+-d|base64\s+--decode|\|bash|\|\s*sh|\|\s*python|eval\(|exec\()`)
        )
      )
    )

    // Enrich: flag non-standard namespaces (exclude known benign Apple xattr names)
    not re.regex($e.target.process.command_line,
      `(com\.apple\.quarantine|com\.apple\.metadata|com\.apple\.FinderInfo|com\.apple\.lastuseddate|com\.apple\.ResourceFork)`
    )

  match:
    $hostname, $user over 30m

  outcome:
    $risk_score = max(
      if(re.regex($cmdline, `(base64|-d|--decode|frombase64|b64decode)`) and
         re.regex($cmdline, `(\|bash|\|sh|\|python|eval\(|exec\()`), 90,
      if(re.regex($cmdline, `(\|bash|\|sh|\|python|eval\(|exec\()`), 75,
      if(re.regex($cmdline, `(user\.|trusted\.|security\.)`), 60,
      50))
    )
    $has_base64 = re.regex($cmdline, `(base64|b64decode|frombase64)`)
    $has_exec_pipe = re.regex($cmdline, `(\|bash|\|sh|\|python|eval\(|exec\()`)
    $is_write = re.regex($cmdline, `(-w\s|--set\s|-wx\s|setfattr)`)
    $is_read = re.regex($cmdline, `(-p\s|--print\s|--only-values)`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) macOS Endpoint Security via Chronicle connector Linux auditd ingested via Chronicle Forwarder CrowdStrike Falcon EDR via Chronicle ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Enterprise MDM solutions (Jamf, Kandji, Microsoft Intune for macOS) that programmatically manage xattr metadata on managed device files as part of policy enforcement and configuration profile application
Developer toolchain scripts that use xattr to tag build artifacts with versioning or signing metadata — commonly seen in Xcode build phases calling xattr -w com.custom.buildversion on output binaries
Linux filesystem administrative tasks (e.g., Samba share management using setfattr to apply DOS attributes, POSIX ACL tools calling setfattr with system.posix_acl_access namespace values)

CrowdStrike LogScale (CQL)

cql

// T1564.014 — Extended Attributes abuse detection (macOS and Linux)
// Primary: xattr/setfattr/getfattr execution with suspicious indicators
#event_simpleName=ProcessRollup2
| ImageFileName = /\/(xattr|setfattr|getfattr)$/
| CommandLine = /(setfattr|getfattr|xattr\s+-[wpn])/i
| case {
    CommandLine = /(setfattr|xattr\s+-w\s|xattr\s+--set\s)/i | WritingAttribute := "true" ;
    * | WritingAttribute := "false"
  }
| case {
    CommandLine = /(getfattr\s+--only-values|xattr\s+-p\s|xattr\s+--print\s)/i | ReadingAttribute := "true" ;
    * | ReadingAttribute := "false"
  }
| case {
    CommandLine = /(base64|frombase64|b64decode)/i | HasBase64Pattern := "true" ;
    * | HasBase64Pattern := "false"
  }
| case {
    CommandLine = /(\|bash|\|\s*bash|\|sh|\|\s*sh|\|python|exec\(|eval\()/i | HasExecutionPipe := "true" ;
    * | HasExecutionPipe := "false"
  }
| case {
    CommandLine = /(user\.|trusted\.|security\.)/i
    AND CommandLine != /(com\.apple\.quarantine|com\.apple\.metadata|com\.apple\.finderinfo|com\.apple\.lastuseddate|com\.apple\.resourcefork)/i
    | NonStandardNamespace := "true" ;
    * | NonStandardNamespace := "false"
  }
| SuspicionScore := (WritingAttribute="true" ? 1 : 0)
    + (ReadingAttribute="true" ? 1 : 0)
    + (HasBase64Pattern="true" ? 1 : 0)
    + (HasExecutionPipe="true" ? 1 : 0)
    + (NonStandardNamespace="true" ? 1 : 0)
| SuspicionScore > 0
| table([@timestamp, ComputerName, UserName, aid, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, WritingAttribute, ReadingAttribute, HasBase64Pattern, HasExecutionPipe, NonStandardNamespace, SuspicionScore])
| sort(field=@timestamp, order=desc)

// Supplemental: interpreter spawned by xattr/getfattr parent chain
| join type=left
  (
    #event_simpleName=ProcessRollup2
    | ImageFileName = /\/(bash|sh|zsh|python3?|perl|ruby)$/
    | ParentBaseFileName = /(xattr|getfattr|bash|sh|zsh)/i
    | ParentCommandLine = /(xattr\s+-p|getfattr\s+--only-values|base64\s+-d|base64\s+--decode)/i
    | table([TargetProcessId, ComputerName, CommandLine, ParentBaseFileName, ParentCommandLine])
  )
  on (ComputerName)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) Falcon Data Replicator (FDR) process events CrowdStrike Falcon for macOS CrowdStrike Falcon for Linux

Required Tables

ProcessRollup2

False Positives

macOS System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) frameworks that write and read com.apple.* extended attributes on system files — tune by excluding ImageFileName paths under /System/ and /Library/
Homebrew package manager on macOS, which uses xattr to manage quarantine flags and custom metadata on downloaded package archives and compiled binaries during install and upgrade operations
Linux containers using overlay filesystems (Docker, Podman) where the container runtime calls setfattr with trusted.overlay.* namespace attributes as part of copy-on-write layer management

Last updated: 2026-04-21 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1564.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Extended Attributes

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections