Unexpected creation or modification of files with com.apple.ResourceFork extended attributes containing unusually large or non-standard data. Defender perspective: detection of resource forks in contexts where they are uncommon, especially when paired with process execution or network activity.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | File creation or modification with com.apple.ResourceFork extended attribute |
| Command Execution (DC0064) | macos:unifiedlog | Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks |
| Process Creation (DC0032) | macos:unifiedlog | Process creation involving binaries interacting with resource fork data |
| Field | Description |
|---|---|
| ResourceForkSizeThreshold | Adjust thresholds for 'unusually large' resource fork data based on baseline usage in the environment. |
| MonitoredDirectories | Scope monitoring to sensitive directories such as /Users, /Applications, or temporary paths. |
| CorrelatedActivityWindow | Time window for correlating resource fork activity with subsequent execution or network activity. |