Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code. Usage of a resource fork is identifiable when displaying a file’s extended attributes, using
ls -l@ or
xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.
|M1013||Application Developer Guidance||
Configure applications to use the application bundle structure which leverages the
|ID||Data Source||Data Component|
Identify files with the
com.apple.ResourceFork extended attribute and large data amounts stored in resource forks.
Monitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.