← Back to ATT&CK index
T1564.004sub-technique
Hide Artifacts: NTFS File Attributes
View on attack.mitre.org →4 syscalls implement this technique
- NtQueryInformationFile
Reads metadata about an open file — timestamps, size, EAs, streams, reparse points and more.
- NtFsControlFile
Sends FSCTL codes to a filesystem — used to plant reparse points, access ADS, and abuse junction traversal.
- NtSetEaFile
Writes NTFS extended attributes (EAs) attached to a file handle.
- NtQueryEaFile
Reads NTFS extended attributes (EAs) from a file handle, optionally filtered or paged.