T1564.009 Resource Forking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let macOSDevices = DeviceInfo
| where OSPlatform =~ "macOS"
| project DeviceId;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceId in (macOSDevices)
| where ProcessCommandLine has "..namedfork"
    or ProcessCommandLine has "com.apple.ResourceFork"
    or (FileName =~ "xattr" and ProcessCommandLine has "ResourceFork")
    or (FileName in~ ("cp", "dd", "cat") and ProcessCommandLine has "rsrc" and ProcessCommandLine has "namedfork")
    or FileName =~ "SplitForks"
    or FileName =~ "FixupResourceForks"
| extend ResourceForkWrite = (
    FileName =~ "xattr"
    and (ProcessCommandLine has "-w com.apple.ResourceFork" or ProcessCommandLine has "-wx com.apple.ResourceFork")
  )
| extend ResourceForkExtract = (
    FileName =~ "dd"
    and ProcessCommandLine has "..namedfork/rsrc"
  )
| extend ResourceForkCopy = (
    FileName =~ "cp"
    and ProcessCommandLine has "..namedfork"
  )
| extend ResourceForkDirectExec = (
    FileName in~ ("bash", "sh", "zsh", "python", "python3", "osascript")
    and ProcessCommandLine has "..namedfork"
  )
| extend SuspiciousParent = (
    InitiatingProcessFileName in~ ("bash", "sh", "zsh", "python", "python3",
                                    "ruby", "perl", "osascript", "curl", "wget",
                                    "Safari", "firefox", "chrome")
  )
| extend SuspicionScore = toint(ResourceForkWrite) + toint(ResourceForkExtract)
    + toint(ResourceForkCopy) + toint(ResourceForkDirectExec) + toint(SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ResourceForkWrite, ResourceForkExtract, ResourceForkCopy,
         ResourceForkDirectExec, SuspiciousParent, SuspicionScore
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (macOS)

Required Tables

DeviceProcessEvents DeviceInfo

False Positives

Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines

Splunk

spl

(index=osquery sourcetype="osquery:results" (name="process_events" OR name="file_events"))
| eval cmdline=coalesce('columns.cmdline', "")
| eval process_path=coalesce('columns.path', "")
| eval process_name=mvindex(split(process_path, "/"), -1)
| eval target_path=coalesce('columns.target_path', "")
| eval username=coalesce('columns.username', "unknown")
| eval parent_path=coalesce('columns.parent', "")
| where like(lower(cmdline), "%..namedfork%")
    OR like(lower(cmdline), "%com.apple.resourcefork%")
    OR like(lower(target_path), "%..namedfork%")
    OR (lower(process_name)="xattr" AND like(lower(cmdline), "%resourcefork%"))
    OR lower(process_name)="splitforks"
    OR lower(process_name)="fixupresourceforks"
| eval ResourceForkWrite=if(
    lower(process_name)="xattr"
    AND (like(lower(cmdline), "%-w com.apple.resourcefork%") OR like(lower(cmdline), "%-wx com.apple.resourcefork%")),
    1, 0)
| eval ResourceForkExtract=if(
    lower(process_name)="dd"
    AND like(lower(cmdline), "%..namedfork/rsrc%"),
    1, 0)
| eval ResourceForkCopy=if(
    lower(process_name)="cp"
    AND like(lower(cmdline), "%..namedfork%"),
    1, 0)
| eval ResourceForkDirectExec=if(
    (lower(process_name)="bash" OR lower(process_name)="sh" OR lower(process_name)="zsh"
     OR lower(process_name)="python" OR lower(process_name)="python3" OR lower(process_name)="osascript")
    AND like(lower(cmdline), "%..namedfork%"),
    1, 0)
| eval SuspiciousParent=if(
    like(lower(parent_path), "%/python%") OR like(lower(parent_path), "%/python3%")
    OR like(lower(parent_path), "%/ruby%") OR like(lower(parent_path), "%/perl%")
    OR like(lower(parent_path), "%/osascript%") OR like(lower(parent_path), "%/curl%")
    OR like(lower(parent_path), "%/wget%") OR like(lower(parent_path), "%/Safari%")
    OR like(lower(parent_path), "%/firefox%") OR like(lower(parent_path), "%/chrome%"),
    1, 0)
| eval SuspicionScore=ResourceForkWrite + ResourceForkExtract + ResourceForkCopy + ResourceForkDirectExec + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, username, process_name, cmdline, parent_path, target_path, name, ResourceForkWrite, ResourceForkExtract, ResourceForkCopy, ResourceForkDirectExec, SuspiciousParent, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Access File: File Modification osquery process_events osquery file_events

Required Sourcetypes

osquery:results

False Positives

Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for build artifact management on HFS+ volumes
macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync -E) that intentionally preserve resource forks when transferring files between HFS+ volumes
Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats stored in resource forks
macOS system command dot_clean removing leftover ._ resource fork files after HFS+ to non-HFS+ cross-platform transfers
Security scanning tools or EDR agents that inspect extended attributes including ResourceFork as part of file scanning or integrity checking routines

Elastic Security (EQL)

eql

process where event.type == "start" and
  host.os.type == "macos" and
  (
    process.command_line : ("*..namedfork*","*com.apple.ResourceFork*","*/..namedfork/rsrc*") or
    (process.name == "xattr" and process.args : ("-w","-d") and
     process.args : ("com.apple.*","*HFS*")) or
    (process.name : ("python*","perl","ruby","bash","sh","zsh") and
     process.command_line : ("*xattr*","*HFS+*","*resourcefork*"))
  )

high severity medium confidence

Data Sources

macOS Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN "CommandLine" ILIKE '%..namedfork%' THEN 10
       WHEN "CommandLine" ILIKE '%com.apple.ResourceFork%' THEN 10
       WHEN "Image" ILIKE '%xattr%' AND ("CommandLine" ILIKE '%-w%' OR "CommandLine" ILIKE '%-d%') THEN 7
       ELSE 5 END as RiskScore
FROM events
WHERE eventid = 1
  AND (
    "CommandLine" ILIKE '%..namedfork%'
    OR "CommandLine" ILIKE '%com.apple.ResourceFork%'
    OR "CommandLine" ILIKE '%/..namedfork/rsrc%'
    OR ("Image" ILIKE '%/xattr%' AND "CommandLine" ILIKE '%(com.apple.|HFS)%')
  )
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

Sysmon for macOS macOS Unified Log

Required Tables

events

False Positives

Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines

Sumo Logic CSE

sql

_sourceCategory=macos/endpoint
| json auto
| where EventID == "1"
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval ImageLower = toLower(coalesce(Image,""))
| eval is_namedfork = if(CmdLower matches ".*(\.\.|namedfork|com\.apple\.ResourceFork|/rsrc).*", 1, 0)
| eval is_xattr_abuse = if(ImageLower matches ".*/xattr$"
    AND (CmdLower matches ".*(-w|-d).*")
    AND CmdLower matches ".*(com\.apple\.|HFS).*", 1, 0)
| where is_namedfork == 1 OR is_xattr_abuse == 1
| eval detection_type = if(is_namedfork == 1, "Resource_Fork_Access", "XAttr_Manipulation")
| table _time, Computer, User, Image, CommandLine, ParentImage, detection_type
| sort by _time desc

high severity medium confidence

Data Sources

macOS Endpoint Events via Sumo Logic

Required Tables

macos/endpoint

False Positives

Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines

Google Chronicle / SecOps

yaral

rule macos_resource_fork_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects macOS resource fork abuse for hiding content (T1564.009)"
    severity = "HIGH"
    tactic = "TA0005"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.asset.platform_software.platform = "MAC"
    (
      re.regex($e.target.process.command_line, `\.\.\s*namedfork|com\.apple\.ResourceFork|/\.\./namedfork/rsrc`) nocase or
      (re.regex($e.target.process.file.full_path, `/xattr$`) nocase and
       re.regex($e.target.process.command_line, `com\.apple\.|HFS`) nocase)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

macOS Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| PlatformType = "3"
| (CommandLine = /(\.\.namedfork|com\.apple\.ResourceFork|\/\.\.\/namedfork\/rsrc)/i
   OR (ImageFileName = /\/xattr$/ AND CommandLine = /(-w|-d).*(com\.apple\.|HFS)/i))
| eval detection_type = case {
    CommandLine = /namedfork|ResourceFork/i : "Resource_Fork_Access";
    ImageFileName = /xattr$/ : "XAttr_Manipulation";
    * : "Fork_Abuse"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, detection_type
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events (macOS)

Required Tables

ProcessRollup2

False Positives

Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines

Resource Forking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections