AN1609: Analytic 1609
Unexpected creation or modification of files with `com.apple.ResourceFork` extended attributes containing unusually large or non-standard data. Defender perspective: detection of resource forks in contexts where they are uncommon, especially when paired with process execution or network activity.
Analyst context for executives and security teams
This analytic highlights a macOS-specific hiding or staging signal: unexpected files with the com.apple.ResourceFork extended attribute containing unusually large or non-standard data. For leaders, the value is not that every resource fork is malicious, but that uncommon extended-attribute use can expose activity that normal file-content scanning, inventory, or audit workflows may miss.
Executive priority
Prioritize this as a macOS visibility and response-readiness question. Security leaders should ask whether endpoint monitoring, file integrity processes, and incident response tooling preserve and inspect macOS extended attributes, not just ordinary file paths and hashes. This matters for evidence quality, containment decisions, and audit confidence in environments where macOS systems support sensitive business operations.
Technical view
For SOC and detection teams, validate whether macOS telemetry can identify creation or modification of files carrying com.apple.ResourceFork extended attributes, especially when the data size or format is unusual for the file location or application context. Because the object provides no ATT&CK tactic, relationship context, or formal detection logic, treat this as a detection engineering hypothesis: correlate uncommon resource fork activity with nearby process execution and network activity, as described in the official text.
Likely telemetry
- macOS file creation and modification events
- Extended attribute metadata, specifically com.apple.ResourceFork
- File size and attribute-size observations for resource fork data
- Endpoint process execution telemetry around the same host and time window
- Network connection telemetry from processes associated with the affected files
Detection direction
- Confirm that collection tools capture extended attributes; many file inventories and scanners may omit resource fork contents or metadata.
- Baseline where resource forks normally appear in the local macOS environment to reduce false positives from legitimate Apple or application behavior.
- Alert on unusually large or non-standard com.apple.ResourceFork data in directories, file types, or workflows where resource forks are uncommon.
- Correlate resource fork changes with process execution and network activity, rather than treating the attribute alone as conclusive.
- Document blind spots where endpoint agents normalize, strip, or fail to report macOS extended attributes.
Mitigation priorities
- Start with visibility: ensure macOS endpoint, EDR, or file monitoring controls can record extended attributes relevant to investigations.
- Harden response procedures so analysts preserve macOS metadata during collection and triage.
- Use application control, least privilege, and controlled write access to reduce unauthorized file creation or modification on important macOS systems.
- Tune detections after local baselining to avoid excessive alerts from legitimate resource fork usage.
- Include macOS extended-attribute evidence in compliance and incident-response readiness checks where macOS assets are in scope.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. It describes suspicious resource fork creation or modification and recommends attention to contexts where resource forks are uncommon, especially with process execution or network activity. No relationships, tactics, detection pseudocode, threat groups, software, or campaigns were supplied.
Official detection content is not provided, and there is no relationship context. This take cannot infer adversary intent, active exploitation, prevalence, or complete detection coverage. Local macOS baselines and telemetry validation are required before operationalizing alerts.
Analytic 1609
Unexpected creation or modification of files with `com.apple.ResourceFork` extended attributes containing unusually large or non-standard data. Defender perspective: detection of resource forks in contexts where they are uncommon, especially when paired with process execution or network activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ee416f817e60… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1609Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.