title: Resource Forking (T1564.009)
id: df00tech-t1564-009
status: experimental
description: "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Resource forks have been deprecated and replaced with the application bundle structure. Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated or encrypted until execution. Real-world malware families Keydnap (which used resource forks to present benign JPEG/text file icons while concealing executables) and OSX/Shlayer (which hid compressed binary payloads in resource forks to evade Finder, terminal display, and traditional scanners) have demonstrated active exploitation of this technique in live campaigns targeting macOS users."
references:
  - https://attack.mitre.org/techniques/T1564/009/
  - https://df00tech.com/detections/T1564.009
author: df00tech
date: 2026/03/12
tags:
  - attack.t1564.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developer build systems (Xcode, CMake, legacy Carbon application compilation) accessing resource forks for legitimate build artifact management targeting older HFS+ workflows on development workstations"
  - "macOS migration and backup utilities (Migration Assistant, Carbon Copy Cloner, rsync with -E flag) that intentionally preserve resource forks when transferring files between HFS+ volumes or creating bootable backups"
  - "Digital archival and file format compatibility tools (Stuffit Expander, BetterZip) handling legacy Mac OS 9 file formats that stored significant data in resource forks by design"
  - "macOS system command dot_clean, which removes leftover resource fork ._ files created when HFS+ volumes are accessed from non-HFS+ systems after copying from USB drives or Windows shares"
  - Third-party endpoint security or antivirus tools that inspect extended attributes including com.apple.ResourceFork as part of file reputation or malware scanning routines
level: high