Detect Resource Forking in Microsoft Sentinel
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Resource forks have been deprecated and replaced with the application bundle structure. Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated or encrypted until execution. Real-world malware families Keydnap (which used resource forks to present benign JPEG/text file icons while concealing executables) and OSX/Shlayer (which hid compressed binary payloads in resource forks to evade Finder, terminal display, and traditional scanners) have demonstrated active exploitation of this technique in live campaigns targeting macOS users.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.009 Resource Forking
- Canonical reference
- https://attack.mitre.org/techniques/T1564/009/
KQL Detection Query
let macOSDevices = DeviceInfo
| where OSPlatform =~ "macOS"
| project DeviceId;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceId in (macOSDevices)
| where ProcessCommandLine has "..namedfork"
or ProcessCommandLine has "com.apple.ResourceFork"
or (FileName =~ "xattr" and ProcessCommandLine has "ResourceFork")
or (FileName in~ ("cp", "dd", "cat") and ProcessCommandLine has "rsrc" and ProcessCommandLine has "namedfork")
or FileName =~ "SplitForks"
or FileName =~ "FixupResourceForks"
| extend ResourceForkWrite = (
FileName =~ "xattr"
and (ProcessCommandLine has "-w com.apple.ResourceFork" or ProcessCommandLine has "-wx com.apple.ResourceFork")
)
| extend ResourceForkExtract = (
FileName =~ "dd"
and ProcessCommandLine has "..namedfork/rsrc"
)
| extend ResourceForkCopy = (
FileName =~ "cp"
and ProcessCommandLine has "..namedfork"
)
| extend ResourceForkDirectExec = (
FileName in~ ("bash", "sh", "zsh", "python", "python3", "osascript")
and ProcessCommandLine has "..namedfork"
)
| extend SuspiciousParent = (
InitiatingProcessFileName in~ ("bash", "sh", "zsh", "python", "python3",
"ruby", "perl", "osascript", "curl", "wget",
"Safari", "firefox", "chrome")
)
| extend SuspicionScore = toint(ResourceForkWrite) + toint(ResourceForkExtract)
+ toint(ResourceForkCopy) + toint(ResourceForkDirectExec) + toint(SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ResourceForkWrite, ResourceForkExtract, ResourceForkCopy,
ResourceForkDirectExec, SuspiciousParent, SuspicionScore
| sort by Timestamp descDetects resource fork manipulation and abuse on macOS endpoints monitored by Microsoft Defender for Endpoint. Scopes queries to macOS devices via DeviceInfo join, since resource forks are a macOS-exclusive filesystem feature. Identifies four primary abuse patterns: (1) writing executable payloads to a file's com.apple.ResourceFork extended attribute via xattr, (2) extracting resource fork content with dd using the ..namedfork/rsrc path notation, (3) copying resource fork data with cp, and (4) direct execution via shells referencing the ..namedfork path. A five-factor suspicion score (write, extract, copy, direct execution, suspicious parent) helps analysts prioritize alerts with multiple concurrent indicators.
Data Sources
Required Tables
False Positives & Tuning
- Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations
- macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups
- Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design
- macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares
- Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines
Other platforms for T1564.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Write Shell Script Payload to Resource Fork via xattr
Expected signal: osquery process_events: xattr process with cmdline containing '-w com.apple.ResourceFork' and '/tmp/df00tech_innocent.jpg'. MDE DeviceProcessEvents: FileName=xattr, ProcessCommandLine contains 'com.apple.ResourceFork' and '-w'. The file /tmp/df00tech_innocent.jpg will show a non-zero ResourceFork attribute when inspected with 'xattr -l /tmp/df00tech_innocent.jpg' and the '@' size indicator with 'ls -l@ /tmp/df00tech_innocent.jpg'.
- Test 2Extract Resource Fork Content Using dd Named Fork Path
Expected signal: osquery process_events: Two sequential dd events — first with cmdline containing 'of=.../..namedfork/rsrc' (write to resource fork) and second with cmdline containing 'if=.../..namedfork/rsrc' (read/extract from resource fork). MDE DeviceProcessEvents: FileName=dd, ProcessCommandLine contains '..namedfork/rsrc' for both events. DeviceFileEvents may capture file activity against the ..namedfork/rsrc path.
- Test 3Full Resource Fork Payload Extraction and Execution Chain
Expected signal: osquery process_events sequence: (1) dd with 'of=.../..namedfork/rsrc' writing payload, (2) dd with 'if=.../..namedfork/rsrc of=/tmp/df00tech_stage2' extracting payload, (3) chmod with '+x /tmp/df00tech_stage2', (4) execution of /tmp/df00tech_stage2 from /tmp directory with no application bundle context. MDE DeviceProcessEvents: ResourceForkExtract=true for the dd read, followed within 5 minutes by chmod and then execution of an extracted binary from /tmp.
- Test 4Resource Fork Reconnaissance via xattr and ls Extended Attribute Listing
Expected signal: osquery process_events: Multiple ls events with cmdline containing '-l@' and multiple xattr events with cmdline containing '-l', all within a short time window. MDE DeviceProcessEvents: FileName=ls with ProcessCommandLine containing '-l@' and FileName=xattr with ProcessCommandLine containing '-l' (read-only). No write indicators present — this test exercises reconnaissance detection only.
References (10)
- https://attack.mitre.org/techniques/T1564/009/
- https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/
- https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html
- https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/
- https://flylib.com/books/en/4.395.1.192/1/
- http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.009/T1564.009.md
- https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html
- https://osquery.io/schema/5.10.2/#process_events
Unlock Pro Content
Get the full detection package for T1564.009 including response playbook, investigation guide, and atomic red team tests.