Hide Artifacts: Resource Forking (T1564.009)

Tactic: Stealth · Platforms: macOS

The interactive view maps 1 detection strategy, 1 mitigation, 2 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Hide Artifacts (T1564).

Overview

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.

Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.

Explore