Detect LC_LOAD_DYLIB Addition in Elastic Security
Adversaries may establish persistence by executing malicious content triggered by the loading of a dynamically linked shared library. Mach-O binaries on macOS have a series of load commands that dictate how/when the binary is executed, including a set of libraries to load. The LC_LOAD_DYLIB command in a Mach-O binary tells macOS to load a specific dynamic library (.dylib) when that binary executes. Adversaries can add their own LC_LOAD_DYLIB load command to any Mach-O binary, causing their malicious library to be loaded whenever the modified binary is executed. This provides persistence that is triggered by the execution of legitimate binaries.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.006 LC_LOAD_DYLIB Addition
- Canonical reference
- https://attack.mitre.org/techniques/T1546/006/
Elastic Detection Query
process where host.os.type == "macos" and event.type == "start" and process.name in ("install_name_tool", "otool", "codesign", "lipo", "jtool", "jtool2", "macho_tool") and process.args : ("-add_rpath", "-change", "-rpath", "LC_LOAD_DYLIB", "@rpath", "@loader_path", "@executable_path")Detects use of Mach-O binary manipulation tools (install_name_tool, otool, jtool) with arguments associated with LC_LOAD_DYLIB modification, which adversaries use to inject malicious dylibs into legitimate binaries for persistence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software developers using install_name_tool or otool during build and packaging workflows on macOS
- Security researchers and reverse engineers analyzing Mach-O binaries using jtool or otool
- macOS package managers (Homebrew, MacPorts) adjusting dylib paths during installation or relocation of software
Other platforms for T1546.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect Mach-O Binary Load Commands with otool
Expected signal: Process creation event for otool with -l /bin/ls arguments. The output reveals all existing dylib dependencies. This is reconnaissance activity that precedes actual injection.
- Test 2Add RPATH to Binary with install_name_tool
Expected signal: Process creation event for install_name_tool with -add_rpath flag. File modification event for /tmp/argus_test_binary. The combination of install_name_tool + -add_rpath + target binary is the key signal.
- Test 3Create Malicious Dylib in User Library Path
Expected signal: Process creation events for gcc. File creation event for libpayload.dylib in ~/Library/Application Support/.hidden — a hidden directory in a user-writable location. The .dylib file creation in a non-system path is the detection trigger.
References (5)
- https://attack.mitre.org/techniques/T1546/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.006/T1546.006.md
- https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x
- https://objective-see.org/blog.html
- https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/DynamicLibraryDesignGuidelines.html
Unlock Pro Content
Get the full detection package for T1546.006 including response playbook, investigation guide, and atomic red team tests.