Detect LC_LOAD_DYLIB Addition in Splunk
Adversaries may establish persistence by executing malicious content triggered by the loading of a dynamically linked shared library. Mach-O binaries on macOS have a series of load commands that dictate how/when the binary is executed, including a set of libraries to load. The LC_LOAD_DYLIB command in a Mach-O binary tells macOS to load a specific dynamic library (.dylib) when that binary executes. Adversaries can add their own LC_LOAD_DYLIB load command to any Mach-O binary, causing their malicious library to be loaded whenever the modified binary is executed. This provides persistence that is triggered by the execution of legitimate binaries.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.006 LC_LOAD_DYLIB Addition
- Canonical reference
- https://attack.mitre.org/techniques/T1546/006/
SPL Detection Query
index=syslog sourcetype=syslog host=*mac*
| eval IsMachoTool=if(match(_raw, "(install_name_tool|otool|codesign|lipo|jtool)"), 1, 0)
| eval IsDylibOp=if(match(_raw, "(-add_rpath|LC_LOAD_DYLIB|@rpath|@loader_path|@executable_path|-change|-rpath)"), 1, 0)
| eval IsFileWrite=if(match(_raw, "(\.dylib|/Library/|/usr/lib/|/System/Library/)"), 1, 0)
| where IsMachoTool=1 OR (IsDylibOp=1 AND IsFileWrite=1)
| table _time, host, user, _raw, IsMachoTool, IsDylibOp
| sort - _timeDetects LC_LOAD_DYLIB manipulation on macOS endpoints using syslog sources. Monitors for invocations of install_name_tool and otool with dylib-modifying flags, as well as file writes to common dylib locations. Requires macOS Unified Logging or endpoint agents that forward syslog-format data to Splunk. The combination of binary tool usage with @rpath or LC_LOAD_DYLIB arguments is the primary signal.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Developer build processes using install_name_tool for dylib path fixing
- Homebrew/MacPorts package managers using install_name_tool during installation
- CI/CD pipelines for macOS application development
- Security researchers analyzing binaries
Other platforms for T1546.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect Mach-O Binary Load Commands with otool
Expected signal: Process creation event for otool with -l /bin/ls arguments. The output reveals all existing dylib dependencies. This is reconnaissance activity that precedes actual injection.
- Test 2Add RPATH to Binary with install_name_tool
Expected signal: Process creation event for install_name_tool with -add_rpath flag. File modification event for /tmp/argus_test_binary. The combination of install_name_tool + -add_rpath + target binary is the key signal.
- Test 3Create Malicious Dylib in User Library Path
Expected signal: Process creation events for gcc. File creation event for libpayload.dylib in ~/Library/Application Support/.hidden — a hidden directory in a user-writable location. The .dylib file creation in a non-system path is the detection trigger.
References (5)
- https://attack.mitre.org/techniques/T1546/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.006/T1546.006.md
- https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x
- https://objective-see.org/blog.html
- https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/DynamicLibraryDesignGuidelines.html
Unlock Pro Content
Get the full detection package for T1546.006 including response playbook, investigation guide, and atomic red team tests.