T1149 Splunk · SPL

Detect LC_MAIN Hijacking in Splunk

Adversaries may hijack the LC_MAIN Mach-O load command in macOS binaries to redirect initial execution flow to malicious code before returning control to the legitimate entry point. The LC_MAIN header, introduced in OS X 10.8, defines the entry point offset for a Mach-O executable. By patching this offset to point at an injected code section or cave, an attacker can execute arbitrary code under the identity of a trusted binary, bypassing application whitelisting controls that validate only the file path or name. This technique has been deprecated in the MITRE ATT&CK framework but remains relevant for forensic analysis of older macOS malware samples and legacy systems.

MITRE ATT&CK

Tactic
Defense Evasion
Canonical reference
https://attack.mitre.org/techniques/T1149/

SPL Detection Query

Splunk (SPL)
spl 
| union
  [search index=osquery sourcetype="osquery:results" name="pack_*_mach_o_info" OR name="pack_*_process_open_files"
  | eval FilePath=coalesce('columns.path', 'columns.filename')
  | where match(FilePath, "(?i)(/Applications/[^/]+\.app/Contents/MacOS/|/usr/(local/)?bin/|/usr/sbin/|/bin/|/opt/)")
  | eval QueryType="osquery_macho_file_access"
  | table _time, host, name, FilePath, QueryType]
  [search index=endpoint sourcetype="stream:process" OR sourcetype="macos:endpointsecurity"
  (process_name="otool" OR process_name="jtool" OR process_name="jtool2" OR process_name="vtool" OR process_name="install_name_tool" OR process_name="lipo")
  | eval CmdLine=coalesce(process_cmdline, cmd_line, cmdline)
  | eval CmdLineLower=lower(CmdLine)
  | eval HasLoadCmdFlag=if(match(CmdLineLower, "(-l|--load-commands|lc_main|lc_thread|lc_unixthread|entryoff|stacksize)"), 1, 0)
  | eval TargetsSensitivePath=if(match(CmdLine, "(/Applications/|/usr/bin/|/usr/local/bin/|/usr/sbin/|/bin/|/sbin/|/opt/)"), 1, 0)
  | where HasLoadCmdFlag=1 AND TargetsSensitivePath=1
  | eval QueryType="macho_tool_with_load_cmd_flag"
  | table _time, host, user, process_name, CmdLine, parent_process_name, HasLoadCmdFlag, TargetsSensitivePath, QueryType]
| sort - _time
| table _time, host, user, process_name, CmdLine, parent_process_name, QueryType
high severity low confidence

Detects LC_MAIN hijacking reconnaissance and modification activity on macOS hosts reporting to Splunk via osquery or macOS Endpoint Security Framework (ESF) data. The first branch queries osquery Mach-O analysis packs for file access events on sensitive binary paths. The second branch identifies Mach-O manipulation tools (otool, jtool, vtool, install_name_tool) invoked with load command inspection flags (-l, LC_MAIN, entryoff) against sensitive system and application directories. Both branches are unioned and sorted by time for analyst review. Confidence is low due to broad legitimate developer use of these tools and the deprecated nature of this technique.

Data Sources

Process: Process CreationFile: File AccessosquerymacOS Endpoint Security Framework

Required Sourcetypes

osquery:resultsstream:processmacos:endpointsecurity

False Positives & Tuning

  • Xcode and Apple Developer toolchains invoke otool and install_name_tool extensively during normal build operations
  • Security tools (Objective-See products, Jamf Protect) inspect Mach-O load commands as part of legitimate endpoint monitoring
  • Homebrew formula builds routinely use lipo and install_name_tool to adjust library paths for universal binaries
  • Reverse engineering education and malware analysis labs generate high volumes of otool and jtool invocations against system binaries
  • CI/CD pipelines building macOS applications (GitHub Actions macOS runners, CircleCI) invoke these tools during artifact preparation
Download portable Sigma rule (.yml)

Other platforms for T1149

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inspect LC_MAIN Entry Point of a System Binary

    Expected signal: macOS Unified Log / ESF process event: process_name=otool, cmdline='otool -l /bin/ls', parent=bash/zsh. osquery process_open_files will show /bin/ls opened for reading by otool. No file modification events are generated by this read-only operation.

  2. Test 2Enumerate All Load Commands of a Sensitive Application Binary

    Expected signal: ESF/stream:process event: process_name=otool, cmdline targeting /Applications/Safari.app/Contents/MacOS/Safari with -l flag. macOS FSEvent: Safari binary opened for reading with otool PID. DeviceProcessEvents (MDE): FileName=otool, ProcessCommandLine contains '-l' and '/Applications/Safari.app/Contents/MacOS/Safari'.

  3. Test 3Verify Code Signature Validity of a Modified Binary

    Expected signal: ESF process event: process_name=codesign, cmdline contains '-v --deep --strict /bin/ls'. macOS Unified Log subsystem com.apple.security.codesigning records the verification result with target binary path and signing identity. If a binary were actually modified, this command would produce a 'code object is not signed at all' or 'a sealed resource is missing or invalid' error.

  4. Test 4Simulate Code Cave Discovery Using nm and size

    Expected signal: ESF process events for nm and size with respective command lines targeting /usr/bin/true. Both binaries are in /usr/bin/ (a monitored sensitive path). DeviceProcessEvents: FileName in ('nm', 'size'), ProcessCommandLine contains '/usr/bin/true'. These events fire consecutively and may indicate scripted reconnaissance.

  5. Test 5Write a Test File to an App Bundle MacOS Directory (Simulated Binary Drop)

    Expected signal: ESF/stream:file events: FileCreated for /tmp/TestApp.app/Contents/MacOS/TestApp and /tmp/TestApp.app/Contents/MacOS/TestApp.bak. DeviceFileEvents: ActionType=FileCreated, FolderPath contains '/MacOS/', InitiatingProcessFileName=bash/zsh. The /tmp/ path is not in the monitored sensitive paths by default — adjust the FolderPath filter to include /tmp/*.app/Contents/MacOS/ for this test to trigger the hunting query.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1149 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1027Obfuscated Files or InformationT1574.006Dynamic Linker HijackingT1574.004Dylib HijackingT1553.002Code SigningT1036MasqueradingT1564.001Hidden Files and DirectoriesT1195.002Compromise Software Supply ChainT1134Access Token Manipulation

Same Tactic: Defense Evasion

Popular Detections