Which SIEM platforms have a T1149 detection rule?

df00tech provides T1149 (LC_MAIN Hijacking) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1149 detection?

The T1149 detection is rated high severity with low confidence.

What are common false positives for T1149?

Common false positives for T1149 include: Security researchers and reverse engineers routinely use otool, jtool, and vtool with -l flags to inspect Mach-O load commands for legitimate analysis; Software build pipelines (Xcode, CMake, conan) invoke install_name_tool and lipo against application binaries during compilation and packaging; macOS application notarization and code signing workflows use codesign and related tools against .app bundle executables.

T1149

LC_MAIN Hijacking

Q: What data sources are required to detect LC_MAIN Hijacking (T1149)?

Detecting LC_MAIN Hijacking requires the following data sources: Process: Process Creation, File: File Modification, Microsoft Defender for Endpoint (macOS agent).

Defense Evasion Last updated: April 18, 2026

Adversaries may hijack the LC_MAIN Mach-O load command in macOS binaries to redirect initial execution flow to malicious code before returning control to the legitimate entry point. The LC_MAIN header, introduced in OS X 10.8, defines the entry point offset for a Mach-O executable. By patching this offset to point at an injected code section or cave, an attacker can execute arbitrary code under the identity of a trusted binary, bypassing application whitelisting controls that validate only the file path or name. This technique has been deprecated in the MITRE ATT&CK framework but remains relevant for forensic analysis of older macOS malware samples and legacy systems.

What is T1149 LC_MAIN Hijacking?

LC_MAIN Hijacking (T1149) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for LC_MAIN Hijacking, covering the data sources and telemetry it touches: Process: Process Creation, File: File Modification, Microsoft Defender for Endpoint (macOS agent). The queries below are rated high severity at low confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Canonical reference: https://attack.mitre.org/techniques/T1149/

Microsoft Sentinel / Defender

kusto

// Part 1: Detect use of Mach-O binary inspection and manipulation tools with suspicious flags
let MachOInspectionTools = dynamic(["otool", "jtool", "jtool2", "vtool", "MachOView", "install_name_tool", "lipo"]);
let SuspiciousLoadCmdFlags = dynamic(["-l", "--load-commands", "LC_MAIN", "LC_THREAD", "LC_UNIXTHREAD", "entryoff", "stacksize"]);
let SensitivePaths = dynamic(["/Applications/", "/usr/bin/", "/usr/local/bin/", "/usr/sbin/", "/bin/", "/sbin/", "/opt/"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (MachOInspectionTools)
| where ProcessCommandLine has_any (SuspiciousLoadCmdFlags)
| where ProcessCommandLine has_any (SensitivePaths)
| extend TargetBinary = extract(@"(?:/Applications/[^\s]+\.app/Contents/MacOS/[^\s]+|/usr/(?:bin|local/bin|sbin)/[^\s]+|/bin/[^\s]+|/opt/[^\s]+)", 0, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, TargetBinary,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
// Part 2: Detect writes to Mach-O executable locations by non-system processes
// Run separately or union with above
// DeviceFileEvents
// | where Timestamp > ago(24h)
// | where ActionType in ("FileModified", "FileCreated", "FileRenamed")
// | where FolderPath matches regex @"/Applications/[^/]+\.app/Contents/MacOS"
//    or FolderPath startswith "/usr/bin/"
//    or FolderPath startswith "/usr/local/bin/"
//    or FolderPath startswith "/usr/sbin/"
// | where not(InitiatingProcessFileName in~ ("Installer", "softwareupdate", "pkgutil", "MRT", "XProtect", "trustd"))
// | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine

Detects potential LC_MAIN hijacking activity on macOS endpoints enrolled in Microsoft Defender for Endpoint. The primary query identifies use of Mach-O inspection and manipulation tools (otool, jtool, vtool, install_name_tool) targeting sensitive binary paths with load command flags (LC_MAIN, LC_THREAD, entryoff). A secondary commented-out query detects writes to Mach-O executable locations within .app bundles and system binary directories by non-standard initiating processes. Both patterns are consistent with reconnaissance or modification stages of LC_MAIN entry point hijacking. Confidence is low due to the deprecated status of this technique, limited macOS telemetry in many MDE deployments, and high false positive rate from legitimate developer tooling.

high severity low confidence

Data Sources

Process: Process Creation File: File Modification Microsoft Defender for Endpoint (macOS agent)

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Security researchers and reverse engineers routinely use otool, jtool, and vtool with -l flags to inspect Mach-O load commands for legitimate analysis
Software build pipelines (Xcode, CMake, conan) invoke install_name_tool and lipo against application binaries during compilation and packaging
macOS application notarization and code signing workflows use codesign and related tools against .app bundle executables
Third-party software managers (Homebrew, MacPorts) legitimately write to /usr/local/bin and /opt/ during package installation and upgrades
System software updates via softwareupdate and MRT modify binaries in protected system paths

Splunk

spl

| union
  [search index=osquery sourcetype="osquery:results" name="pack_*_mach_o_info" OR name="pack_*_process_open_files"
  | eval FilePath=coalesce('columns.path', 'columns.filename')
  | where match(FilePath, "(?i)(/Applications/[^/]+\.app/Contents/MacOS/|/usr/(local/)?bin/|/usr/sbin/|/bin/|/opt/)")
  | eval QueryType="osquery_macho_file_access"
  | table _time, host, name, FilePath, QueryType]
  [search index=endpoint sourcetype="stream:process" OR sourcetype="macos:endpointsecurity"
  (process_name="otool" OR process_name="jtool" OR process_name="jtool2" OR process_name="vtool" OR process_name="install_name_tool" OR process_name="lipo")
  | eval CmdLine=coalesce(process_cmdline, cmd_line, cmdline)
  | eval CmdLineLower=lower(CmdLine)
  | eval HasLoadCmdFlag=if(match(CmdLineLower, "(-l|--load-commands|lc_main|lc_thread|lc_unixthread|entryoff|stacksize)"), 1, 0)
  | eval TargetsSensitivePath=if(match(CmdLine, "(/Applications/|/usr/bin/|/usr/local/bin/|/usr/sbin/|/bin/|/sbin/|/opt/)"), 1, 0)
  | where HasLoadCmdFlag=1 AND TargetsSensitivePath=1
  | eval QueryType="macho_tool_with_load_cmd_flag"
  | table _time, host, user, process_name, CmdLine, parent_process_name, HasLoadCmdFlag, TargetsSensitivePath, QueryType]
| sort - _time
| table _time, host, user, process_name, CmdLine, parent_process_name, QueryType

Detects LC_MAIN hijacking reconnaissance and modification activity on macOS hosts reporting to Splunk via osquery or macOS Endpoint Security Framework (ESF) data. The first branch queries osquery Mach-O analysis packs for file access events on sensitive binary paths. The second branch identifies Mach-O manipulation tools (otool, jtool, vtool, install_name_tool) invoked with load command inspection flags (-l, LC_MAIN, entryoff) against sensitive system and application directories. Both branches are unioned and sorted by time for analyst review. Confidence is low due to broad legitimate developer use of these tools and the deprecated nature of this technique.

high severity low confidence

Data Sources

Process: Process Creation File: File Access osquery macOS Endpoint Security Framework

Required Sourcetypes

osquery:results stream:process macos:endpointsecurity

False Positives

Xcode and Apple Developer toolchains invoke otool and install_name_tool extensively during normal build operations
Security tools (Objective-See products, Jamf Protect) inspect Mach-O load commands as part of legitimate endpoint monitoring
Homebrew formula builds routinely use lipo and install_name_tool to adjust library paths for universal binaries
Reverse engineering education and malware analysis labs generate high volumes of otool and jtool invocations against system binaries
CI/CD pipelines building macOS applications (GitHub Actions macOS runners, CircleCI) invoke these tools during artifact preparation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Apple macOS Security', 'Syslog', 'Linux OS')
  AND (
    "Process Name" IN ('otool', 'jtool', 'jtool2', 'vtool', 'install_name_tool', 'lipo')
    OR "Process Name" ILIKE '%jtool%'
  )
  AND (
    "Command" ILIKE '% -l %'
    OR "Command" ILIKE '%--load-commands%'
    OR "Command" ILIKE '%LC_MAIN%'
    OR "Command" ILIKE '%LC_THREAD%'
    OR "Command" ILIKE '%LC_UNIXTHREAD%'
    OR "Command" ILIKE '%entryoff%'
    OR "Command" ILIKE '%stacksize%'
  )
  AND (
    "Command" ILIKE '%/Applications/%'
    OR "Command" ILIKE '%/usr/bin/%'
    OR "Command" ILIKE '%/usr/local/bin/%'
    OR "Command" ILIKE '%/usr/sbin/%'
    OR "Command" ILIKE '%/bin/%'
    OR "Command" ILIKE '%/sbin/%'
    OR "Command" ILIKE '%/opt/%'
  )
  AND devicetime > NOW() - 24 HOURS
ORDER BY devicetime DESC
LIMIT 500

QRadar AQL query detecting Mach-O binary inspection tool executions on macOS endpoints where load command enumeration flags are combined with sensitive system binary paths. Correlates against syslog and macOS security event sources to surface LC_MAIN reconnaissance activity.

high severity medium confidence

Data Sources

QRadar macOS Security log source QRadar Syslog DSM (macOS endpoint syslog) osquery log source via Universal DSM

Required Tables

events

False Positives

Homebrew package installation and post-install scripts routinely invoke install_name_tool against binaries being placed into /usr/local/bin or /opt/homebrew
Code signing pipelines and CI/CD build agents may use lipo and vtool to strip or inspect universal binaries targeting /Applications staging directories
Automated macOS software inventory tools that shell out to otool to collect binary metadata across system directories for asset management purposes

Google Chronicle / SecOps

yaral

rule lc_main_hijacking_macho_inspection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Mach-O inspection tools invoked with LC_MAIN or load command flags against sensitive macOS system binary paths, indicating potential entry-point offset reconnaissance for T1149."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1149"
    platform = "macOS"
    false_positives = "Developer toolchains, Homebrew, security research"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Apple"
    (
      $e.principal.process.file.full_path = /\/(otool|jtool2?|vtool|install_name_tool|lipo)$/ or
      $e.target.process.file.full_path = /\/(otool|jtool2?|vtool|install_name_tool|lipo)$/
    )
    (
      $e.target.process.command_line = /(\s-l\s|--load-commands|LC_MAIN|LC_THREAD|LC_UNIXTHREAD|entryoff|stacksize)/i
    )
    (
      $e.target.process.command_line = /(\/Applications\/|\/usr\/(local\/)?bin\/|\/usr\/sbin\/|\/bin\/|\/sbin\/|\/opt\/)/
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting macOS Mach-O binary inspection tool executions where load command enumeration flags (LC_MAIN, LC_THREAD, entryoff) are used against binaries in sensitive system directories. Uses UDM PROCESS_LAUNCH events from macOS endpoint telemetry.

high severity medium confidence

Data Sources

Google Chronicle macOS UDM ingestion CrowdStrike Falcon Chronicle forwarding Carbon Black Chronicle integration

Required Tables

UDM PROCESS_LAUNCH events (metadata.event_type)

False Positives

Apple Developer Tools post-install hooks use install_name_tool to rewrite embedded library paths for applications installed into /Applications
Xcode-integrated build systems invoke otool during linking to verify Mach-O headers and load command integrity for both /usr/bin and /usr/local/bin targets
macOS endpoint detection and response tools that call otool internally to parse binary metadata for file classification and behavioral analytics

Sigma rule & cross-platform mapping

The detection logic for LC_MAIN Hijacking (T1149) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1149 Sigma rules on detection.fyi

Platform-specific guides for T1149

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Inspect LC_MAIN Entry Point of a System Binary
Expected signal: macOS Unified Log / ESF process event: process_name=otool, cmdline='otool -l /bin/ls', parent=bash/zsh. osquery process_open_files will show /bin/ls opened for reading by otool. No file modification events are generated by this read-only operation.
Test 2Enumerate All Load Commands of a Sensitive Application Binary
Expected signal: ESF/stream:process event: process_name=otool, cmdline targeting /Applications/Safari.app/Contents/MacOS/Safari with -l flag. macOS FSEvent: Safari binary opened for reading with otool PID. DeviceProcessEvents (MDE): FileName=otool, ProcessCommandLine contains '-l' and '/Applications/Safari.app/Contents/MacOS/Safari'.
Test 3Verify Code Signature Validity of a Modified Binary
Expected signal: ESF process event: process_name=codesign, cmdline contains '-v --deep --strict /bin/ls'. macOS Unified Log subsystem com.apple.security.codesigning records the verification result with target binary path and signing identity. If a binary were actually modified, this command would produce a 'code object is not signed at all' or 'a sealed resource is missing or invalid' error.
Test 4Simulate Code Cave Discovery Using nm and size
Expected signal: ESF process events for nm and size with respective command lines targeting /usr/bin/true. Both binaries are in /usr/bin/ (a monitored sensitive path). DeviceProcessEvents: FileName in ('nm', 'size'), ProcessCommandLine contains '/usr/bin/true'. These events fire consecutively and may indicate scripted reconnaissance.
Test 5Write a Test File to an App Bundle MacOS Directory (Simulated Binary Drop)
Expected signal: ESF/stream:file events: FileCreated for /tmp/TestApp.app/Contents/MacOS/TestApp and /tmp/TestApp.app/Contents/MacOS/TestApp.bak. DeviceFileEvents: ActionType=FileCreated, FolderPath contains '/MacOS/', InitiatingProcessFileName=bash/zsh. The /tmp/ path is not in the monitored sensitive paths by default — adjust the FolderPath filter to include /tmp/*.app/Contents/MacOS/ for this test to trigger the hunting query.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1149 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0005Defense Evasion

Related Techniques

T1027Obfuscated Files or Information T1574.006Dynamic Linker Hijacking T1574.004Dylib Hijacking T1553.002Code Signing T1036Masquerading T1564.001Hidden Files and Directories T1195.002Compromise Software Supply Chain T1134Access Token Manipulation

LC_MAIN Hijacking

What is T1149 LC_MAIN Hijacking?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1149

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1149 LC_MAIN Hijacking?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1149

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox