Detect LC_LOAD_DYLIB Addition in CrowdStrike LogScale
Adversaries may establish persistence by executing malicious content triggered by the loading of a dynamically linked shared library. Mach-O binaries on macOS have a series of load commands that dictate how/when the binary is executed, including a set of libraries to load. The LC_LOAD_DYLIB command in a Mach-O binary tells macOS to load a specific dynamic library (.dylib) when that binary executes. Adversaries can add their own LC_LOAD_DYLIB load command to any Mach-O binary, causing their malicious library to be loaded whenever the modified binary is executed. This provides persistence that is triggered by the execution of legitimate binaries.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.006 LC_LOAD_DYLIB Addition
- Canonical reference
- https://attack.mitre.org/techniques/T1546/006/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /install_name_tool|otool|codesign|lipo|jtool|jtool2|macho_tool/i
| CommandLine = /-add_rpath|-change |-rpath |LC_LOAD_DYLIB|@rpath|@loader_path|@executable_path/i
| event_platform = "Mac"
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, TargetProcessId])
| sort(field=_time, order=desc)Detects macOS Mach-O binary manipulation tool execution with LC_LOAD_DYLIB modification arguments using CrowdStrike Falcon telemetry. Monitors ProcessRollup2 events on Mac endpoints for known dylib injection utilities invoked with rpath or load command manipulation flags.
Data Sources
Required Tables
False Positives & Tuning
- Developer endpoints running Xcode build automation where install_name_tool is routinely called to embed correct dylib paths in application bundles
- macOS-based CI runners (GitHub Actions, GitLab, Jenkins on Mac) that execute binary post-processing steps involving otool and install_name_tool
- Penetration testers or red team operators legitimately analyzing binary dependencies using jtool2 or otool during authorized engagements
Other platforms for T1546.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect Mach-O Binary Load Commands with otool
Expected signal: Process creation event for otool with -l /bin/ls arguments. The output reveals all existing dylib dependencies. This is reconnaissance activity that precedes actual injection.
- Test 2Add RPATH to Binary with install_name_tool
Expected signal: Process creation event for install_name_tool with -add_rpath flag. File modification event for /tmp/argus_test_binary. The combination of install_name_tool + -add_rpath + target binary is the key signal.
- Test 3Create Malicious Dylib in User Library Path
Expected signal: Process creation events for gcc. File creation event for libpayload.dylib in ~/Library/Application Support/.hidden — a hidden directory in a user-writable location. The .dylib file creation in a non-system path is the detection trigger.
References (5)
- https://attack.mitre.org/techniques/T1546/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.006/T1546.006.md
- https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x
- https://objective-see.org/blog.html
- https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/DynamicLibraryDesignGuidelines.html
Unlock Pro Content
Get the full detection package for T1546.006 including response playbook, investigation guide, and atomic red team tests.