Матрица MITRE ATT&CK

Technique on mitre.org

T1564.009: Resource Forking

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.

Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

ID	DS0022	Data source and component	File: File Metadata	Description	Identify files with the `com.apple.ResourceFork` extended attribute and large data amounts stored in resource forks.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.

ID	Data source and component	Description
DS0022	File: File Creation	Monitor for newly constructed files that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.
DS0022	File: File Metadata	Identify files with the `com.apple.ResourceFork` extended attribute and large data amounts stored in resource forks.
DS0009	Process: Process Creation	Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.
DS0017	Command: Command Execution	Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.

Mitigation

ID	M1013	Name	Application Developer Guidance	Description	Configure applications to use the application bundle structure which leverages the `/Resources` folder location.

ID	Name	Description
M1013	Application Developer Guidance	Configure applications to use the application bundle structure which leverages the `/Resources` folder location.