Detect Resource Forking in Elastic Security
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Resource forks have been deprecated and replaced with the application bundle structure. Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated or encrypted until execution. Real-world malware families Keydnap (which used resource forks to present benign JPEG/text file icons while concealing executables) and OSX/Shlayer (which hid compressed binary payloads in resource forks to evade Finder, terminal display, and traditional scanners) have demonstrated active exploitation of this technique in live campaigns targeting macOS users.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.009 Resource Forking
- Canonical reference
- https://attack.mitre.org/techniques/T1564/009/
Elastic Detection Query
process where event.type == "start" and
host.os.type == "macos" and
(
process.command_line : ("*..namedfork*","*com.apple.ResourceFork*","*/..namedfork/rsrc*") or
(process.name == "xattr" and process.args : ("-w","-d") and
process.args : ("com.apple.*","*HFS*")) or
(process.name : ("python*","perl","ruby","bash","sh","zsh") and
process.command_line : ("*xattr*","*HFS+*","*resourcefork*"))
)Detects macOS resource fork and named fork abuse for hiding malicious content on HFS+ file systems.
Data Sources
Required Tables
False Positives & Tuning
- Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
- macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
- Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
- macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
- Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines
Other platforms for T1564.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Write Shell Script Payload to Resource Fork via xattr
Expected signal: osquery process_events: xattr process with cmdline containing '-w com.apple.ResourceFork' and '/tmp/df00tech_innocent.jpg'. MDE DeviceProcessEvents: FileName=xattr, ProcessCommandLine contains 'com.apple.ResourceFork' and '-w'. The file /tmp/df00tech_innocent.jpg will show a non-zero ResourceFork attribute when inspected with 'xattr -l /tmp/df00tech_innocent.jpg' and the '@' size indicator with 'ls -l@ /tmp/df00tech_innocent.jpg'.
- Test 2Extract Resource Fork Content Using dd Named Fork Path
Expected signal: osquery process_events: Two sequential dd events — first with cmdline containing 'of=.../..namedfork/rsrc' (write to resource fork) and second with cmdline containing 'if=.../..namedfork/rsrc' (read/extract from resource fork). MDE DeviceProcessEvents: FileName=dd, ProcessCommandLine contains '..namedfork/rsrc' for both events. DeviceFileEvents may capture file activity against the ..namedfork/rsrc path.
- Test 3Full Resource Fork Payload Extraction and Execution Chain
Expected signal: osquery process_events sequence: (1) dd with 'of=.../..namedfork/rsrc' writing payload, (2) dd with 'if=.../..namedfork/rsrc of=/tmp/df00tech_stage2' extracting payload, (3) chmod with '+x /tmp/df00tech_stage2', (4) execution of /tmp/df00tech_stage2 from /tmp directory with no application bundle context. MDE DeviceProcessEvents: ResourceForkExtract=true for the dd read, followed within 5 minutes by chmod and then execution of an extracted binary from /tmp.
- Test 4Resource Fork Reconnaissance via xattr and ls Extended Attribute Listing
Expected signal: osquery process_events: Multiple ls events with cmdline containing '-l@' and multiple xattr events with cmdline containing '-l', all within a short time window. MDE DeviceProcessEvents: FileName=ls with ProcessCommandLine containing '-l@' and FileName=xattr with ProcessCommandLine containing '-l' (read-only). No write indicators present — this test exercises reconnaissance detection only.
References (10)
- https://attack.mitre.org/techniques/T1564/009/
- https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/
- https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html
- https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/
- https://flylib.com/books/en/4.395.1.192/1/
- http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.009/T1564.009.md
- https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html
- https://osquery.io/schema/5.10.2/#process_events
Unlock Pro Content
Get the full detection package for T1564.009 including response playbook, investigation guide, and atomic red team tests.