title: Extended Attributes (T1564.014)
id: df00tech-t1564-014
status: experimental
description: "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide malicious data and evade detection. Extended attributes are key-value pairs of metadata attached to files and directories that are invisible to standard tools like ls, cat, and Finder. They require dedicated utilities — xattr on macOS, or getfattr/setfattr on Linux — for inspection. An adversary embeds a Base64-encoded second-stage payload into an xattr of a legitimate file (using xattr -w on macOS or setfattr on Linux), then a loader script retrieves the attribute value, decodes it, and pipes it to a scripting interpreter (bash, python, etc.) for execution. Because the primary file content and cryptographic hash remain unchanged, file integrity monitoring and hash-based detection will not flag the carrier file. This technique has been observed in Lazarus Group (APT38) campaigns where custom xattr names mimicking system attributes were used to store encrypted shellcode."
references:
  - https://attack.mitre.org/techniques/T1564/014/
  - https://df00tech.com/detections/T1564.014
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "macOS Gatekeeper and Spotlight legitimately use com.apple.quarantine, com.apple.metadata:*, and com.apple.FinderInfo attributes — excluded by the NonStandardNamespace filter"
  - "Backup and archiving tools (rsync --xattrs, tar --xattrs, macOS Time Machine) regularly read and write extended attributes during scheduled backup operations"
  - File tagging applications and Digital Asset Management (DAM) software write custom xattrs for organizational metadata and workflow state
  - "Container runtimes (Docker overlay2, Podman) and package managers use trusted. namespace attributes on Linux for filesystem layer tracking"
  - "Security baseline scanning tools (AIDE, Tripwire) reading all file metadata including xattrs during scheduled integrity baseline runs"
level: high