Detect LC_LOAD_DYLIB Addition in IBM QRadar
Adversaries may establish persistence by executing malicious content triggered by the loading of a dynamically linked shared library. Mach-O binaries on macOS have a series of load commands that dictate how/when the binary is executed, including a set of libraries to load. The LC_LOAD_DYLIB command in a Mach-O binary tells macOS to load a specific dynamic library (.dylib) when that binary executes. Adversaries can add their own LC_LOAD_DYLIB load command to any Mach-O binary, causing their malicious library to be loaded whenever the modified binary is executed. This provides persistence that is triggered by the execution of legitimate binaries.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.006 LC_LOAD_DYLIB Addition
- Canonical reference
- https://attack.mitre.org/techniques/T1546/006/
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time, sourceip, username, hostname, "processname", "commandline", CATEGORYNAME(category) AS category_name FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X', 'Linux') AND LOWER("processname") IN ('install_name_tool', 'otool', 'codesign', 'lipo', 'jtool', 'jtool2', 'macho_tool') AND ("commandline" ILIKE '%-add_rpath%' OR "commandline" ILIKE '%LC_LOAD_DYLIB%' OR "commandline" ILIKE '%@rpath%' OR "commandline" ILIKE '%@loader_path%' OR "commandline" ILIKE '%@executable_path%' OR "commandline" ILIKE '%-change%' OR "commandline" ILIKE '%-rpath%') AND starttime > NOW() - 86400000 ORDER BY starttime DESCDetects execution of macOS Mach-O binary manipulation utilities with dylib injection arguments, indicating potential LC_LOAD_DYLIB persistence technique. Queries syslog or endpoint telemetry sources in QRadar for process command lines matching known tool names and dylib-related flags.
Data Sources
Required Tables
False Positives & Tuning
- Developer workstations running Xcode-based build pipelines that regularly invoke install_name_tool to fix up embedded dylib paths
- CI/CD build agents on macOS performing code signing and binary relocation as part of application packaging
- IT administrators using macho analysis tools during software audits or compatibility testing
Other platforms for T1546.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect Mach-O Binary Load Commands with otool
Expected signal: Process creation event for otool with -l /bin/ls arguments. The output reveals all existing dylib dependencies. This is reconnaissance activity that precedes actual injection.
- Test 2Add RPATH to Binary with install_name_tool
Expected signal: Process creation event for install_name_tool with -add_rpath flag. File modification event for /tmp/argus_test_binary. The combination of install_name_tool + -add_rpath + target binary is the key signal.
- Test 3Create Malicious Dylib in User Library Path
Expected signal: Process creation events for gcc. File creation event for libpayload.dylib in ~/Library/Application Support/.hidden — a hidden directory in a user-writable location. The .dylib file creation in a non-system path is the detection trigger.
References (5)
- https://attack.mitre.org/techniques/T1546/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.006/T1546.006.md
- https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x
- https://objective-see.org/blog.html
- https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/DynamicLibraryDesignGuidelines.html
Unlock Pro Content
Get the full detection package for T1546.006 including response playbook, investigation guide, and atomic red team tests.