T1564.014 IBM QRadar · QRadar

Detect Extended Attributes in IBM QRadar

Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide malicious data and evade detection. Extended attributes are key-value pairs of metadata attached to files and directories that are invisible to standard tools like ls, cat, and Finder. They require dedicated utilities — xattr on macOS, or getfattr/setfattr on Linux — for inspection. An adversary embeds a Base64-encoded second-stage payload into an xattr of a legitimate file (using xattr -w on macOS or setfattr on Linux), then a loader script retrieves the attribute value, decodes it, and pipes it to a scripting interpreter (bash, python, etc.) for execution. Because the primary file content and cryptographic hash remain unchanged, file integrity monitoring and hash-based detection will not flag the carrier file. This technique has been observed in Lazarus Group (APT38) campaigns where custom xattr names mimicking system attributes were used to store encrypted shellcode.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.014 Extended Attributes
Canonical reference
https://attack.mitre.org/techniques/T1564/014/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  QIDNAME(qid) AS event_name,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(setfattr|xattr\s+-w\s|xattr\s+--set\s)' THEN 1
    ELSE 0
  END AS WritingAttribute,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(getfattr\s+--only-values|xattr\s+-p\s|xattr\s+--print\s)' THEN 1
    ELSE 0
  END AS ReadingAttribute,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(base64|frombase64|b64decode)' THEN 1
    ELSE 0
  END AS HasBase64Pattern,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(\|bash|\|\s*bash|\|sh|\|\s*sh|\|python|exec\(|eval\()' THEN 1
    ELSE 0
  END AS HasExecutionPipe,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(user\.|trusted\.|security\.)'
     AND NOT LOWER("CommandLine") MATCHES '(com\.apple\.quarantine|com\.apple\.metadata|com\.apple\.finderinfo)' THEN 1
    ELSE 0
  END AS NonStandardNamespace
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Apple Mac OS X')
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Image") MATCHES '.*(xattr|setfattr|getfattr).*'
    OR (
      LOWER("Image") MATCHES '.*(bash|sh|zsh|python|python3|perl|ruby).*'
      AND LOWER("ParentImage") MATCHES '.*(xattr|getfattr|bash|sh|zsh).*'
      AND LOWER("ParentCommandLine") MATCHES '.*(xattr\s+-p|getfattr\s+--only-values|base64\s+-d|base64\s+--decode).*'
    )
  )
  AND (
    LOWER("CommandLine") MATCHES '.*(setfattr|getfattr|xattr\s+-[wpn]).*'
    OR LOWER("CommandLine") MATCHES '.*(base64|frombase64|b64decode).*'
    OR LOWER("CommandLine") MATCHES '.(\|bash|\|sh|\|python|exec\(|eval\().*'
  )
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query detecting Extended Attribute abuse (T1564.014) on Linux and macOS endpoints. Correlates xattr/setfattr/getfattr command execution with base64 decoding, execution pipe patterns, and non-standard xattr namespace usage. Parent-child process correlation catches loader chains spawning interpreters after xattr reads.

Data Sources

QRadar Linux OS DSM (auditd/syslog)QRadar Apple Mac OS X DSMSysmon for Linux via QRadar Universal DSM

Required Tables

events

False Positives & Tuning

  • Package managers (brew, apt, yum) that read and write extended attributes during software installation, particularly com.apple.quarantine manipulation on macOS when clearing quarantine flags post-download
  • Backup and archiving tools (rsync, tar with xattr support, Carbon Copy Cloner) that preserve extended attributes as part of filesystem backup operations
  • Container orchestration runtimes (Docker, containerd) that use setfattr to manage overlay filesystem attributes, SELinux labels (security.selinux), or POSIX access control lists
Download portable Sigma rule (.yml)

Other platforms for T1564.014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1macOS: Embed Base64 Payload in Extended Attribute and Execute via Bash

    Expected signal: DeviceProcessEvents (macOS Defender): (1) xattr process with ProcessCommandLine '-w user.hidden_loader <base64_string> /tmp/df00tech_xattr_carrier.txt'; (2) xattr process with ProcessCommandLine '-p user.hidden_loader /tmp/df00tech_xattr_carrier.txt'; (3) bash process spawned from the shell pipeline with the decoded command. Unified Log: xattr invocations under invoking shell process context. DeviceFileEvents: possible FileModified event for carrier file if EDR tracks xattr changes as metadata modifications.

  2. Test 2Linux: Store and Execute Payload via setfattr/getfattr in user. Namespace

    Expected signal: auditd (requires execve rule): SYSCALL execve records for setfattr (TYPE=EXECVE with a[0]='setfattr', a[1]='-n', a[2]='user.system_metadata') and getfattr (with '--only-values'). DeviceProcessEvents (Defender for Linux): setfattr process with full command line, getfattr process with --only-values flag, bash process spawned via pipe. The carrier file hash (sha256sum /tmp/df00tech_config.json) remains identical before and after setfattr — demonstrating FIM evasion.

  3. Test 3Linux: Python Loader Extracting and Executing Xattr Payload In-Memory (APT-Style Stager)

    Expected signal: auditd: setfattr execve record writing user.app_config attribute; python3 execve record with proctitle showing subprocess.check_output, getfattr, --only-values, base64.b64decode, exec(). getfattr invoked as child process of python3 (PPID of getfattr matches PID of python3). No additional file written to disk during execution — exec() runs the decoded Python code within the existing interpreter process. DeviceProcessEvents: python3 process with full command line containing all loader indicators.

  4. Test 4macOS: Verify Extended Attribute Persists Through Hash Integrity Check (FIM Evasion Proof)

    Expected signal: DeviceProcessEvents: xattr process with CommandLine '-w user.evasion_test <base64_payload> /tmp/df00tech_fim_evasion_test.txt'. DeviceFileEvents: FileModified event for the carrier file if EDR tracks EA changes as file system events (EDR-dependent). SHA256 hash: identical before and after — file integrity monitoring tools relying solely on cryptographic hashes will NOT generate an alert. This outcome is expected and demonstrates the detection gap.

Last updated: 2026-04-21 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1564.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind Mounts

Related Techniques

T1564Hide ArtifactsT1027.011Fileless StorageT1027.009Embedded PayloadsT1059.004Unix ShellT1059.006PythonT1546.004Unix Shell Configuration ModificationT1222.002Linux and Mac File and Directory Permissions ModificationT1036MasqueradingT1140Deobfuscate/Decode Files or Information

Same Tactic: Defense Evasion

Popular Detections