T1564.009: Resource Forking
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@
or xattr -l
commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources
folder.
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. |
---|
ID | DS0022 | Data source and component | File: File Metadata | Description | Identify files with the |
---|
Mitigation
ID | M1013 | Name | Application Developer Guidance | Description | Configure applications to use the application bundle structure which leverages the |
---|