Hide Artifacts: Resource Forking

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.[1] Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.[2][3]

Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.[4][5]

ID: T1564.009
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: macOS
Defense Bypassed: Gatekeeper, Notarization
Contributors: Ivan Sinyakov; Jaron Bradley @jbradley89
Version: 1.0
Created: 12 October 2021
Last Modified: 05 May 2022

Procedure Examples

ID Name Description
S0276 Keydnap

Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system.[6]

S0402 OSX/Shlayer

OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.[5][4]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Configure applications to use the application bundle structure which leverages the /Resources folder location.[7]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.

DS0022 File File Creation

Monitor for newly constructed files that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

File Metadata

Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks.

DS0009 Process Process Creation

Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

References