Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564.009 | Resource Forking |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
References
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1564.009 | Resource Forking |
Comments
This diagnostic statement protects against Resource Forking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1564.009 | Resource Forking | |
| SA-10 | Developer Configuration Management | mitigates | T1564.009 | Resource Forking | |
| SC-06 | Resource Availability | mitigates | T1564.009 | Resource Forking | |
| CM-11 | User-installed Software | mitigates | T1564.009 | Resource Forking | |
| SC-44 | Detonation Chambers | mitigates | T1564.009 | Resource Forking | |
| SC-04 | Information in Shared System Resources | mitigates | T1564.009 | Resource Forking | |
| SI-10 | Information Input Validation | mitigates | T1564.009 | Resource Forking | |
| SI-15 | Information Output Filtering | mitigates | T1564.009 | Resource Forking | |
| SI-03 | Malicious Code Protection | mitigates | T1564.009 | Resource Forking | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1564.009 | Resource Forking | |
| CM-02 | Baseline Configuration | mitigates | T1564.009 | Resource Forking | |
| CM-07 | Least Functionality | mitigates | T1564.009 | Resource Forking | |
| SI-04 | System Monitoring | mitigates | T1564.009 | Resource Forking |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1564.009 | Resource Forking |
Comments
This control can detect when files are created or modified related to resource forking.
References
|
| devops_security | Microsoft Defender for Cloud: DevOps Security | technique_scores | T1564.009 | Resource Forking |
Comments
This control can provide DevOps guidance that applications should use the application bundle structure which leverages the /Resources folder location to mitigate resource forking.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1564.009 | Resource Forking |
Comments
This control can detect when commands are run related to resource forking.
References
|