T1149 LC_MAIN Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Part 1: Detect use of Mach-O binary inspection and manipulation tools with suspicious flags
let MachOInspectionTools = dynamic(["otool", "jtool", "jtool2", "vtool", "MachOView", "install_name_tool", "lipo"]);
let SuspiciousLoadCmdFlags = dynamic(["-l", "--load-commands", "LC_MAIN", "LC_THREAD", "LC_UNIXTHREAD", "entryoff", "stacksize"]);
let SensitivePaths = dynamic(["/Applications/", "/usr/bin/", "/usr/local/bin/", "/usr/sbin/", "/bin/", "/sbin/", "/opt/"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (MachOInspectionTools)
| where ProcessCommandLine has_any (SuspiciousLoadCmdFlags)
| where ProcessCommandLine has_any (SensitivePaths)
| extend TargetBinary = extract(@"(?:/Applications/[^\s]+\.app/Contents/MacOS/[^\s]+|/usr/(?:bin|local/bin|sbin)/[^\s]+|/bin/[^\s]+|/opt/[^\s]+)", 0, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, TargetBinary,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
// Part 2: Detect writes to Mach-O executable locations by non-system processes
// Run separately or union with above
// DeviceFileEvents
// | where Timestamp > ago(24h)
// | where ActionType in ("FileModified", "FileCreated", "FileRenamed")
// | where FolderPath matches regex @"/Applications/[^/]+\.app/Contents/MacOS"
//    or FolderPath startswith "/usr/bin/"
//    or FolderPath startswith "/usr/local/bin/"
//    or FolderPath startswith "/usr/sbin/"
// | where not(InitiatingProcessFileName in~ ("Installer", "softwareupdate", "pkgutil", "MRT", "XProtect", "trustd"))
// | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine

high severity low confidence

Data Sources

Process: Process Creation File: File Modification Microsoft Defender for Endpoint (macOS agent)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Security researchers and reverse engineers routinely use otool, jtool, and vtool with -l flags to inspect Mach-O load commands for legitimate analysis
Software build pipelines (Xcode, CMake, conan) invoke install_name_tool and lipo against application binaries during compilation and packaging
macOS application notarization and code signing workflows use codesign and related tools against .app bundle executables
Third-party software managers (Homebrew, MacPorts) legitimately write to /usr/local/bin and /opt/ during package installation and upgrades
System software updates via softwareupdate and MRT modify binaries in protected system paths

Splunk

spl

| union
  [search index=osquery sourcetype="osquery:results" name="pack_*_mach_o_info" OR name="pack_*_process_open_files"
  | eval FilePath=coalesce('columns.path', 'columns.filename')
  | where match(FilePath, "(?i)(/Applications/[^/]+\.app/Contents/MacOS/|/usr/(local/)?bin/|/usr/sbin/|/bin/|/opt/)")
  | eval QueryType="osquery_macho_file_access"
  | table _time, host, name, FilePath, QueryType]
  [search index=endpoint sourcetype="stream:process" OR sourcetype="macos:endpointsecurity"
  (process_name="otool" OR process_name="jtool" OR process_name="jtool2" OR process_name="vtool" OR process_name="install_name_tool" OR process_name="lipo")
  | eval CmdLine=coalesce(process_cmdline, cmd_line, cmdline)
  | eval CmdLineLower=lower(CmdLine)
  | eval HasLoadCmdFlag=if(match(CmdLineLower, "(-l|--load-commands|lc_main|lc_thread|lc_unixthread|entryoff|stacksize)"), 1, 0)
  | eval TargetsSensitivePath=if(match(CmdLine, "(/Applications/|/usr/bin/|/usr/local/bin/|/usr/sbin/|/bin/|/sbin/|/opt/)"), 1, 0)
  | where HasLoadCmdFlag=1 AND TargetsSensitivePath=1
  | eval QueryType="macho_tool_with_load_cmd_flag"
  | table _time, host, user, process_name, CmdLine, parent_process_name, HasLoadCmdFlag, TargetsSensitivePath, QueryType]
| sort - _time
| table _time, host, user, process_name, CmdLine, parent_process_name, QueryType

high severity low confidence

Data Sources

Process: Process Creation File: File Access osquery macOS Endpoint Security Framework

Required Sourcetypes

osquery:results stream:process macos:endpointsecurity

False Positives

Xcode and Apple Developer toolchains invoke otool and install_name_tool extensively during normal build operations
Security tools (Objective-See products, Jamf Protect) inspect Mach-O load commands as part of legitimate endpoint monitoring
Homebrew formula builds routinely use lipo and install_name_tool to adjust library paths for universal binaries
Reverse engineering education and malware analysis labs generate high volumes of otool and jtool invocations against system binaries
CI/CD pipelines building macOS applications (GitHub Actions macOS runners, CircleCI) invoke these tools during artifact preparation

Elastic Security (EQL)

eql

process where event.type == "start" and
  host.os.type == "macos" and
  process.name in ("otool", "jtool", "jtool2", "vtool", "install_name_tool", "lipo") and
  (
    process.args : "-l" or
    process.args : "--load-commands" or
    process.args : "LC_MAIN" or
    process.args : "LC_THREAD" or
    process.args : "LC_UNIXTHREAD" or
    process.args : "entryoff" or
    process.args : "stacksize"
  ) and
  (
    process.command_line : "/Applications/*" or
    process.command_line : "/usr/bin/*" or
    process.command_line : "/usr/local/bin/*" or
    process.command_line : "/usr/sbin/*" or
    process.command_line : "/bin/*" or
    process.command_line : "/sbin/*" or
    process.command_line : "/opt/*"
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security (macOS) Auditbeat (macOS process events)

Required Tables

logs-endpoint.events.process-* auditbeat-*

False Positives

macOS developers legitimately use otool and install_name_tool during build and link workflows targeting binaries in /usr/local/bin or /opt/homebrew
Security researchers and reverse engineers running jtool2 or MachOView to audit applications installed in /Applications as part of authorized vulnerability research
System administrators using lipo or vtool to inspect universal/fat binaries when managing multi-architecture deployments on Apple Silicon transition environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Apple macOS Security', 'Syslog', 'Linux OS')
  AND (
    "Process Name" IN ('otool', 'jtool', 'jtool2', 'vtool', 'install_name_tool', 'lipo')
    OR "Process Name" ILIKE '%jtool%'
  )
  AND (
    "Command" ILIKE '% -l %'
    OR "Command" ILIKE '%--load-commands%'
    OR "Command" ILIKE '%LC_MAIN%'
    OR "Command" ILIKE '%LC_THREAD%'
    OR "Command" ILIKE '%LC_UNIXTHREAD%'
    OR "Command" ILIKE '%entryoff%'
    OR "Command" ILIKE '%stacksize%'
  )
  AND (
    "Command" ILIKE '%/Applications/%'
    OR "Command" ILIKE '%/usr/bin/%'
    OR "Command" ILIKE '%/usr/local/bin/%'
    OR "Command" ILIKE '%/usr/sbin/%'
    OR "Command" ILIKE '%/bin/%'
    OR "Command" ILIKE '%/sbin/%'
    OR "Command" ILIKE '%/opt/%'
  )
  AND devicetime > NOW() - 24 HOURS
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar macOS Security log source QRadar Syslog DSM (macOS endpoint syslog) osquery log source via Universal DSM

Required Tables

events

False Positives

Homebrew package installation and post-install scripts routinely invoke install_name_tool against binaries being placed into /usr/local/bin or /opt/homebrew
Code signing pipelines and CI/CD build agents may use lipo and vtool to strip or inspect universal binaries targeting /Applications staging directories
Automated macOS software inventory tools that shell out to otool to collect binary metadata across system directories for asset management purposes

Sumo Logic CSE

sql

_sourceCategory=endpoint/macos OR _sourceCategory=osquery/macos OR _sourceCategory=stream/process
| where !
  isEmpty(process_name)
| where process_name in ("otool", "jtool", "jtool2", "vtool", "install_name_tool", "lipo")
| where (
    cmdline matches "-l " or
    cmdline matches "--load-commands" or
    cmdline matches "LC_MAIN" or
    cmdline matches "LC_THREAD" or
    cmdline matches "LC_UNIXTHREAD" or
    cmdline matches "entryoff" or
    cmdline matches "stacksize"
  )
| where (
    cmdline matches "/Applications/" or
    cmdline matches "/usr/bin/" or
    cmdline matches "/usr/local/bin/" or
    cmdline matches "/usr/sbin/" or
    cmdline matches "/bin/" or
    cmdline matches "/sbin/" or
    cmdline matches "/opt/"
  )
| parse field=cmdline "* *" as tool_name, tool_args nodrop
| count by _time, host, user, process_name, cmdline, parent_process_name
| fields -_count
| sort by _time desc

high severity medium confidence

Data Sources

Sumo Logic macOS Endpoint Security source osquery Sumo Logic collector Sumo Logic stream:process source

Required Tables

_sourceCategory=endpoint/macos _sourceCategory=osquery/macos _sourceCategory=stream/process

False Positives

Developer toolchain setup scripts using install_name_tool to fix dylib paths for applications being installed into /Applications from a DMG
Security audit scripts that enumerate load commands across all system binaries as part of periodic hardening checks or compliance scanning
Reverse engineering workflows by malware analysts on macOS forensic workstations using jtool2 or otool against samples staged in system paths during triage

Google Chronicle / SecOps

yaral

rule lc_main_hijacking_macho_inspection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Mach-O inspection tools invoked with LC_MAIN or load command flags against sensitive macOS system binary paths, indicating potential entry-point offset reconnaissance for T1149."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1149"
    platform = "macOS"
    false_positives = "Developer toolchains, Homebrew, security research"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Apple"
    (
      $e.principal.process.file.full_path = /\/(otool|jtool2?|vtool|install_name_tool|lipo)$/ or
      $e.target.process.file.full_path = /\/(otool|jtool2?|vtool|install_name_tool|lipo)$/
    )
    (
      $e.target.process.command_line = /(\s-l\s|--load-commands|LC_MAIN|LC_THREAD|LC_UNIXTHREAD|entryoff|stacksize)/i
    )
    (
      $e.target.process.command_line = /(\/Applications\/|\/usr\/(local\/)?bin\/|\/usr\/sbin\/|\/bin\/|\/sbin\/|\/opt\/)/
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle macOS UDM ingestion CrowdStrike Falcon Chronicle forwarding Carbon Black Chronicle integration

Required Tables

UDM PROCESS_LAUNCH events (metadata.event_type)

False Positives

Apple Developer Tools post-install hooks use install_name_tool to rewrite embedded library paths for applications installed into /Applications
Xcode-integrated build systems invoke otool during linking to verify Mach-O headers and load command integrity for both /usr/bin and /usr/local/bin targets
macOS endpoint detection and response tools that call otool internally to parse binary metadata for file classification and behavioral analytics

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName in ("otool", "jtool", "jtool2", "vtool", "install_name_tool", "lipo")
| regex(field=CommandLine, regex="(-l\\b|--load-commands|LC_MAIN|LC_THREAD|LC_UNIXTHREAD|entryoff|stacksize)", flags="i")
| regex(field=CommandLine, regex="(/Applications/|/usr/bin/|/usr/local/bin/|/usr/sbin/|/bin/|/sbin/|/opt/)", flags="i")
| OperatingSystemVersion = /macOS|Mac OS X/i OR PlatformName = /Mac/i
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TargetProcessId, ContextProcessId],
    function=[
      count(aid, as=event_count),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| sort(last_seen, order=desc)
| table(
    [last_seen, first_seen, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TargetProcessId, event_count]
  )

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (macOS sensor) Falcon ProcessRollup2 events

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Homebrew formulae installation scripts frequently call install_name_tool on binaries being linked into /usr/local/bin or /opt/homebrew/bin as part of dependency fixup
Automated macOS malware analysis sandboxes may run otool or jtool2 against samples as part of static pre-analysis before dynamic execution
Third-party macOS application packagers (e.g., Packages.app, pkgbuild wrappers) invoke lipo and install_name_tool when assembling universal binaries for /Applications distribution

LC_MAIN Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections