title: NTFS File Attributes (T1564.004)
id: df00tech-t1564-004
status: experimental
description: "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) with records for every file/directory. Files in the MFT can contain multiple data streams — the primary :$DATA stream and additional Alternate Data Streams (ADS). Adversaries use ADS to hide payloads (e.g., storing malware in 'legitimate.txt:hidden_payload.exe') since standard Windows tools don't show ADS content. The Regin rootkit, APT32, Valak, and LoJax have all used NTFS ADS for payload storage and evasion."
references:
  - https://attack.mitre.org/techniques/T1564/004/
  - https://df00tech.com/detections/T1564.004
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Zone.Identifier ADS stream automatically added by Windows on files downloaded from the internet (Mark of the Web) — this is the most common legitimate ADS
  - Some legitimate software that uses ADS for storing metadata or licensing information
  - Security tools and forensic utilities that read or write ADS for analysis purposes
  - macOS compatibility layers that use resource forks stored as ADS streams on NTFS
level: high