Detect Resource Forking in Splunk
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Resource forks have been deprecated and replaced with the application bundle structure. Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated or encrypted until execution. Real-world malware families Keydnap (which used resource forks to present benign JPEG/text file icons while concealing executables) and OSX/Shlayer (which hid compressed binary payloads in resource forks to evade Finder, terminal display, and traditional scanners) have demonstrated active exploitation of this technique in live campaigns targeting macOS users.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.009 Resource Forking
- Canonical reference
- https://attack.mitre.org/techniques/T1564/009/
SPL Detection Query
(index=osquery sourcetype="osquery:results" (name="process_events" OR name="file_events"))
| eval cmdline=coalesce('columns.cmdline', "")
| eval process_path=coalesce('columns.path', "")
| eval process_name=mvindex(split(process_path, "/"), -1)
| eval target_path=coalesce('columns.target_path', "")
| eval username=coalesce('columns.username', "unknown")
| eval parent_path=coalesce('columns.parent', "")
| where like(lower(cmdline), "%..namedfork%")
OR like(lower(cmdline), "%com.apple.resourcefork%")
OR like(lower(target_path), "%..namedfork%")
OR (lower(process_name)="xattr" AND like(lower(cmdline), "%resourcefork%"))
OR lower(process_name)="splitforks"
OR lower(process_name)="fixupresourceforks"
| eval ResourceForkWrite=if(
lower(process_name)="xattr"
AND (like(lower(cmdline), "%-w com.apple.resourcefork%") OR like(lower(cmdline), "%-wx com.apple.resourcefork%")),
1, 0)
| eval ResourceForkExtract=if(
lower(process_name)="dd"
AND like(lower(cmdline), "%..namedfork/rsrc%"),
1, 0)
| eval ResourceForkCopy=if(
lower(process_name)="cp"
AND like(lower(cmdline), "%..namedfork%"),
1, 0)
| eval ResourceForkDirectExec=if(
(lower(process_name)="bash" OR lower(process_name)="sh" OR lower(process_name)="zsh"
OR lower(process_name)="python" OR lower(process_name)="python3" OR lower(process_name)="osascript")
AND like(lower(cmdline), "%..namedfork%"),
1, 0)
| eval SuspiciousParent=if(
like(lower(parent_path), "%/python%") OR like(lower(parent_path), "%/python3%")
OR like(lower(parent_path), "%/ruby%") OR like(lower(parent_path), "%/perl%")
OR like(lower(parent_path), "%/osascript%") OR like(lower(parent_path), "%/curl%")
OR like(lower(parent_path), "%/wget%") OR like(lower(parent_path), "%/Safari%")
OR like(lower(parent_path), "%/firefox%") OR like(lower(parent_path), "%/chrome%"),
1, 0)
| eval SuspicionScore=ResourceForkWrite + ResourceForkExtract + ResourceForkCopy + ResourceForkDirectExec + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, username, process_name, cmdline, parent_path, target_path, name, ResourceForkWrite, ResourceForkExtract, ResourceForkCopy, ResourceForkDirectExec, SuspiciousParent, SuspicionScore
| sort - _timeDetects macOS resource fork abuse using osquery process_events and file_events telemetry forwarded to Splunk via Fleet or Kolide. Evaluates command lines for the ..namedfork/rsrc path notation (the macOS filesystem named fork path for resource fork access), xattr commands writing to com.apple.ResourceFork, dd/cp commands reading from or writing to resource fork paths, and shell interpreter references to named fork paths. Uses a suspicion scoring model aligned with the KQL detection to prioritize events with multiple concurrent indicators. Requires osquery configured with process_events and file_events scheduled queries on macOS endpoints.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for build artifact management on HFS+ volumes
- macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync -E) that intentionally preserve resource forks when transferring files between HFS+ volumes
- Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats stored in resource forks
- macOS system command dot_clean removing leftover ._ resource fork files after HFS+ to non-HFS+ cross-platform transfers
- Security scanning tools or EDR agents that inspect extended attributes including ResourceFork as part of file scanning or integrity checking routines
Other platforms for T1564.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Write Shell Script Payload to Resource Fork via xattr
Expected signal: osquery process_events: xattr process with cmdline containing '-w com.apple.ResourceFork' and '/tmp/df00tech_innocent.jpg'. MDE DeviceProcessEvents: FileName=xattr, ProcessCommandLine contains 'com.apple.ResourceFork' and '-w'. The file /tmp/df00tech_innocent.jpg will show a non-zero ResourceFork attribute when inspected with 'xattr -l /tmp/df00tech_innocent.jpg' and the '@' size indicator with 'ls -l@ /tmp/df00tech_innocent.jpg'.
- Test 2Extract Resource Fork Content Using dd Named Fork Path
Expected signal: osquery process_events: Two sequential dd events — first with cmdline containing 'of=.../..namedfork/rsrc' (write to resource fork) and second with cmdline containing 'if=.../..namedfork/rsrc' (read/extract from resource fork). MDE DeviceProcessEvents: FileName=dd, ProcessCommandLine contains '..namedfork/rsrc' for both events. DeviceFileEvents may capture file activity against the ..namedfork/rsrc path.
- Test 3Full Resource Fork Payload Extraction and Execution Chain
Expected signal: osquery process_events sequence: (1) dd with 'of=.../..namedfork/rsrc' writing payload, (2) dd with 'if=.../..namedfork/rsrc of=/tmp/df00tech_stage2' extracting payload, (3) chmod with '+x /tmp/df00tech_stage2', (4) execution of /tmp/df00tech_stage2 from /tmp directory with no application bundle context. MDE DeviceProcessEvents: ResourceForkExtract=true for the dd read, followed within 5 minutes by chmod and then execution of an extracted binary from /tmp.
- Test 4Resource Fork Reconnaissance via xattr and ls Extended Attribute Listing
Expected signal: osquery process_events: Multiple ls events with cmdline containing '-l@' and multiple xattr events with cmdline containing '-l', all within a short time window. MDE DeviceProcessEvents: FileName=ls with ProcessCommandLine containing '-l@' and FileName=xattr with ProcessCommandLine containing '-l' (read-only). No write indicators present — this test exercises reconnaissance detection only.
References (10)
- https://attack.mitre.org/techniques/T1564/009/
- https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/
- https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html
- https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/
- https://flylib.com/books/en/4.395.1.192/1/
- http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.009/T1564.009.md
- https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html
- https://osquery.io/schema/5.10.2/#process_events
Unlock Pro Content
Get the full detection package for T1564.009 including response playbook, investigation guide, and atomic red team tests.