DET0584: Detection Strategy for Resource Forking on macOS
DET0584 is a MITRE detection strategy for Resource Forking on macOS, a stealth behavior where adversaries may use macOS resource forks to hide code or exec...
Analyst context for executives and security teams
DET0584 is a MITRE detection strategy for Resource Forking on macOS, a stealth behavior where adversaries may use macOS resource forks to hide code or executables from normal file review and some security tooling. For leaders, the practical issue is not the technique name; it is whether macOS monitoring and response processes can see file content and metadata that may not appear in ordinary file listings.
Executive priority
Treat this as a macOS visibility and assurance question. Security leaders should ask whether endpoint monitoring, incident response procedures, and compliance evidence account for extended attributes/resource forks, especially on systems where macOS endpoints support business-critical users or privileged access. The business risk is a blind spot: if tools only inspect standard file content, hidden material may weaken detection, investigation quality, and confidence in endpoint control coverage.
Technical view
The supplied relationship maps this detection strategy to ATT&CK technique T1564.009, Resource Forking, under the stealth tactic and macOS platform. SOC and IR teams should validate whether they can identify files with resource forks or unusual extended attributes and whether endpoint/security tools inspect those attributes rather than only the visible data fork. The related ATT&CK description notes that resource fork usage can be identified by displaying a file’s extended attributes, including with macOS inspection commands such as ls -l@ or xattr -l.
Likely telemetry
- macOS file metadata showing extended attributes and resource fork presence
- Endpoint file creation, modification, and quarantine/attribute-change events where available
- Endpoint detection or file scanning results that explicitly include extended attributes/resource forks
- Process execution telemetry for administrative or investigative use of macOS attribute inspection utilities
- Incident response collection artifacts that preserve macOS extended attributes rather than stripping them during acquisition or transfer
Detection direction
- Confirm that macOS endpoint coverage includes visibility into extended attributes/resource forks, not just filenames, hashes, and standard file contents.
- Test whether files with resource forks are preserved and observable across collection, EDR review, triage, and forensic acquisition workflows.
- Tune detections around suspicious or unexpected resource fork presence in security-relevant locations, while accounting for legitimate macOS and application use of resource forks.
- Use relationship context: this strategy supports detection of a stealth technique, so prioritize validation of blind spots where adversaries may hide content to evade security applications.
- Avoid assuming coverage from generic file monitoring alone; require evidence that the monitoring path captures macOS-specific metadata.
Mitigation priorities
- Inventory macOS assets and ensure endpoint security controls are configured to inspect macOS extended attributes/resource forks where supported.
- Update IR playbooks so suspicious macOS files are examined with metadata-preserving methods.
- Validate that file transfer, evidence collection, and malware analysis workflows do not drop resource fork data.
- Include this visibility requirement in macOS security control reviews and audit evidence for endpoint monitoring completeness.
- Where gaps exist, prioritize compensating controls and managed detection use cases for macOS stealth behaviors.
Analyst notes and limits
This take is based on the supplied ATT&CK detection strategy DET0584 and its relationship to T1564.009 Resource Forking. The object itself has no official description, no official detection text, and no tactics or platforms directly specified; the macOS and stealth context comes from the related technique. Practical validation requires local endpoint tooling, logging, and forensic workflow evidence.
No active exploitation, attribution, prevalence, specific tool behavior, or guaranteed detection coverage is provided in the supplied ATT&CK fields. Recommendations are therefore framed as validation and control-assurance direction rather than confirmed exposure or confirmed detection logic.
Detection Strategy for Resource Forking on macOS
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564.009 | Resource Forking Sub-technique | This object detects Resource Forking. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c32ed0fb8b7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0584Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.