DET0584 Detection Strategy for Resource Forking on macOS
| Item |
Value |
| ID |
DET0584 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1564.009 (Resource Forking)
Analytics
macOS
AN1609
Unexpected creation or modification of files with com.apple.ResourceFork extended attributes containing unusually large or non-standard data. Defender perspective: detection of resource forks in contexts where they are uncommon, especially when paired with process execution or network activity.
Log Sources
| Data Component |
Name |
Channel |
| File Metadata (DC0059) |
macos:unifiedlog |
File creation or modification with com.apple.ResourceFork extended attribute |
| Command Execution (DC0064) |
macos:unifiedlog |
Execution of commands like ls -l@, xattr -l, or custom tools interacting with resource forks |
| Process Creation (DC0032) |
macos:unifiedlog |
Process creation involving binaries interacting with resource fork data |
Mutable Elements
| Field |
Description |
| ResourceForkSizeThreshold |
Adjust thresholds for ‘unusually large’ resource fork data based on baseline usage in the environment. |
| MonitoredDirectories |
Scope monitoring to sensitive directories such as /Users, /Applications, or temporary paths. |
| CorrelatedActivityWindow |
Time window for correlating resource fork activity with subsequent execution or network activity. |