Detect LC_MAIN Hijacking in Microsoft Sentinel
Adversaries may hijack the LC_MAIN Mach-O load command in macOS binaries to redirect initial execution flow to malicious code before returning control to the legitimate entry point. The LC_MAIN header, introduced in OS X 10.8, defines the entry point offset for a Mach-O executable. By patching this offset to point at an injected code section or cave, an attacker can execute arbitrary code under the identity of a trusted binary, bypassing application whitelisting controls that validate only the file path or name. This technique has been deprecated in the MITRE ATT&CK framework but remains relevant for forensic analysis of older macOS malware samples and legacy systems.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1149/
KQL Detection Query
// Part 1: Detect use of Mach-O binary inspection and manipulation tools with suspicious flags
let MachOInspectionTools = dynamic(["otool", "jtool", "jtool2", "vtool", "MachOView", "install_name_tool", "lipo"]);
let SuspiciousLoadCmdFlags = dynamic(["-l", "--load-commands", "LC_MAIN", "LC_THREAD", "LC_UNIXTHREAD", "entryoff", "stacksize"]);
let SensitivePaths = dynamic(["/Applications/", "/usr/bin/", "/usr/local/bin/", "/usr/sbin/", "/bin/", "/sbin/", "/opt/"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (MachOInspectionTools)
| where ProcessCommandLine has_any (SuspiciousLoadCmdFlags)
| where ProcessCommandLine has_any (SensitivePaths)
| extend TargetBinary = extract(@"(?:/Applications/[^\s]+\.app/Contents/MacOS/[^\s]+|/usr/(?:bin|local/bin|sbin)/[^\s]+|/bin/[^\s]+|/opt/[^\s]+)", 0, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, TargetBinary,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
// Part 2: Detect writes to Mach-O executable locations by non-system processes
// Run separately or union with above
// DeviceFileEvents
// | where Timestamp > ago(24h)
// | where ActionType in ("FileModified", "FileCreated", "FileRenamed")
// | where FolderPath matches regex @"/Applications/[^/]+\.app/Contents/MacOS"
// or FolderPath startswith "/usr/bin/"
// or FolderPath startswith "/usr/local/bin/"
// or FolderPath startswith "/usr/sbin/"
// | where not(InitiatingProcessFileName in~ ("Installer", "softwareupdate", "pkgutil", "MRT", "XProtect", "trustd"))
// | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLineDetects potential LC_MAIN hijacking activity on macOS endpoints enrolled in Microsoft Defender for Endpoint. The primary query identifies use of Mach-O inspection and manipulation tools (otool, jtool, vtool, install_name_tool) targeting sensitive binary paths with load command flags (LC_MAIN, LC_THREAD, entryoff). A secondary commented-out query detects writes to Mach-O executable locations within .app bundles and system binary directories by non-standard initiating processes. Both patterns are consistent with reconnaissance or modification stages of LC_MAIN entry point hijacking. Confidence is low due to the deprecated status of this technique, limited macOS telemetry in many MDE deployments, and high false positive rate from legitimate developer tooling.
Data Sources
Required Tables
False Positives & Tuning
- Security researchers and reverse engineers routinely use otool, jtool, and vtool with -l flags to inspect Mach-O load commands for legitimate analysis
- Software build pipelines (Xcode, CMake, conan) invoke install_name_tool and lipo against application binaries during compilation and packaging
- macOS application notarization and code signing workflows use codesign and related tools against .app bundle executables
- Third-party software managers (Homebrew, MacPorts) legitimately write to /usr/local/bin and /opt/ during package installation and upgrades
- System software updates via softwareupdate and MRT modify binaries in protected system paths
Other platforms for T1149
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect LC_MAIN Entry Point of a System Binary
Expected signal: macOS Unified Log / ESF process event: process_name=otool, cmdline='otool -l /bin/ls', parent=bash/zsh. osquery process_open_files will show /bin/ls opened for reading by otool. No file modification events are generated by this read-only operation.
- Test 2Enumerate All Load Commands of a Sensitive Application Binary
Expected signal: ESF/stream:process event: process_name=otool, cmdline targeting /Applications/Safari.app/Contents/MacOS/Safari with -l flag. macOS FSEvent: Safari binary opened for reading with otool PID. DeviceProcessEvents (MDE): FileName=otool, ProcessCommandLine contains '-l' and '/Applications/Safari.app/Contents/MacOS/Safari'.
- Test 3Verify Code Signature Validity of a Modified Binary
Expected signal: ESF process event: process_name=codesign, cmdline contains '-v --deep --strict /bin/ls'. macOS Unified Log subsystem com.apple.security.codesigning records the verification result with target binary path and signing identity. If a binary were actually modified, this command would produce a 'code object is not signed at all' or 'a sealed resource is missing or invalid' error.
- Test 4Simulate Code Cave Discovery Using nm and size
Expected signal: ESF process events for nm and size with respective command lines targeting /usr/bin/true. Both binaries are in /usr/bin/ (a monitored sensitive path). DeviceProcessEvents: FileName in ('nm', 'size'), ProcessCommandLine contains '/usr/bin/true'. These events fire consecutively and may indicate scripted reconnaissance.
- Test 5Write a Test File to an App Bundle MacOS Directory (Simulated Binary Drop)
Expected signal: ESF/stream:file events: FileCreated for /tmp/TestApp.app/Contents/MacOS/TestApp and /tmp/TestApp.app/Contents/MacOS/TestApp.bak. DeviceFileEvents: ActionType=FileCreated, FolderPath contains '/MacOS/', InitiatingProcessFileName=bash/zsh. The /tmp/ path is not in the monitored sensitive paths by default — adjust the FolderPath filter to include /tmp/*.app/Contents/MacOS/ for this test to trigger the hunting query.
References (9)
- https://attack.mitre.org/techniques/T1149/
- https://assets.documentcloud.org/documents/2459197/bit9-carbon-black-threat-research-report-2015.pdf
- https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
- https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/MachOTopics/0-Introduction/introduction.html
- https://github.com/aidansteele/osx-abi-macho-file-format-reference
- https://redcanary.com/blog/mac-malware-2021/
- https://objective-see.org/blog.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1149/T1149.md
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
Unlock Pro Content
Get the full detection package for T1149 including response playbook, investigation guide, and atomic red team tests.