T1564.009 Resource Forking Mappings

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)

Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-11 User-installed Software Protects T1564.009 Resource Forking
CM-2 Baseline Configuration Protects T1564.009 Resource Forking
CM-6 Configuration Settings Protects T1564.009 Resource Forking
CM-7 Least Functionality Protects T1564.009 Resource Forking
SA-10 Developer Configuration Management Protects T1564.009 Resource Forking
SC-4 Information in Shared System Resources Protects T1564.009 Resource Forking
SC-44 Detonation Chambers Protects T1564.009 Resource Forking
SC-6 Resource Availability Protects T1564.009 Resource Forking
SI-10 Information Input Validation Protects T1564.009 Resource Forking
SI-15 Information Output Filtering Protects T1564.009 Resource Forking
SI-3 Malicious Code Protection Protects T1564.009 Resource Forking
SI-4 System Monitoring Protects T1564.009 Resource Forking
SI-7 Software, Firmware, and Information Integrity Protects T1564.009 Resource Forking