Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
CM-11 | User-installed Software | Protects | T1564.009 | Resource Forking |
CM-02 | Baseline Configuration | Protects | T1564.009 | Resource Forking |
CM-06 | Configuration Settings | Protects | T1564.009 | Resource Forking |
CM-07 | Least Functionality | Protects | T1564.009 | Resource Forking |
SA-10 | Developer Configuration Management | Protects | T1564.009 | Resource Forking |
SC-04 | Information in Shared System Resources | Protects | T1564.009 | Resource Forking |
SC-44 | Detonation Chambers | Protects | T1564.009 | Resource Forking |
SC-06 | Resource Availability | Protects | T1564.009 | Resource Forking |
SI-10 | Information Input Validation | Protects | T1564.009 | Resource Forking |
SI-15 | Information Output Filtering | Protects | T1564.009 | Resource Forking |
SI-03 | Malicious Code Protection | Protects | T1564.009 | Resource Forking |
SI-04 | System Monitoring | Protects | T1564.009 | Resource Forking |
SI-07 | Software, Firmware, and Information Integrity | Protects | T1564.009 | Resource Forking |