Detect LC_LOAD_DYLIB Addition in Sumo Logic CSE
Adversaries may establish persistence by executing malicious content triggered by the loading of a dynamically linked shared library. Mach-O binaries on macOS have a series of load commands that dictate how/when the binary is executed, including a set of libraries to load. The LC_LOAD_DYLIB command in a Mach-O binary tells macOS to load a specific dynamic library (.dylib) when that binary executes. Adversaries can add their own LC_LOAD_DYLIB load command to any Mach-O binary, causing their malicious library to be loaded whenever the modified binary is executed. This provides persistence that is triggered by the execution of legitimate binaries.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.006 LC_LOAD_DYLIB Addition
- Canonical reference
- https://attack.mitre.org/techniques/T1546/006/
Sumo Detection Query
_sourceCategory=*macos* OR _sourceCategory=*endpoint* OR _sourceCategory=*syslog*
| where _raw matches /install_name_tool|otool|codesign|lipo|jtool|jtool2|macho_tool/
| parse regex "(?<process_name>install_name_tool|otool|codesign|lipo|jtool|jtool2|macho_tool)" nodrop
| parse regex "(?<dylib_arg>-add_rpath|-change\s|-rpath\s|LC_LOAD_DYLIB|@rpath|@loader_path|@executable_path)" nodrop
| where !isNull(dylib_arg)
| parse regex field=_raw "user[=:\s]+(?<username>[^\s]+)" nodrop
| parse regex field=_raw "host[=:\s]+(?<hostname>[^\s]+)" nodrop
| count by _time, hostname, username, process_name, dylib_arg
| sort by _time descDetects macOS binary manipulation tool execution with LC_LOAD_DYLIB-related arguments by parsing syslog and endpoint telemetry. Identifies install_name_tool, otool, jtool and similar tools used with dylib path manipulation flags that indicate potential Mach-O binary tampering for persistence.
Data Sources
Required Tables
False Positives & Tuning
- Software packaging pipelines that use install_name_tool to rewrite dylib paths for app bundle portability (common in Homebrew and MacPorts builds)
- Security tooling vendors that inspect Mach-O load commands using otool or jtool for endpoint detection telemetry
- macOS application notarization and hardened runtime workflows that involve codesign re-signing after dylib path adjustments
Other platforms for T1546.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect Mach-O Binary Load Commands with otool
Expected signal: Process creation event for otool with -l /bin/ls arguments. The output reveals all existing dylib dependencies. This is reconnaissance activity that precedes actual injection.
- Test 2Add RPATH to Binary with install_name_tool
Expected signal: Process creation event for install_name_tool with -add_rpath flag. File modification event for /tmp/argus_test_binary. The combination of install_name_tool + -add_rpath + target binary is the key signal.
- Test 3Create Malicious Dylib in User Library Path
Expected signal: Process creation events for gcc. File creation event for libpayload.dylib in ~/Library/Application Support/.hidden — a hidden directory in a user-writable location. The .dylib file creation in a non-system path is the detection trigger.
References (5)
- https://attack.mitre.org/techniques/T1546/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.006/T1546.006.md
- https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x
- https://objective-see.org/blog.html
- https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/DynamicLibraryDesignGuidelines.html
Unlock Pro Content
Get the full detection package for T1546.006 including response playbook, investigation guide, and atomic red team tests.