T1574.004 Google Chronicle · YARA-L

Detect Dylib Hijacking in Google Chronicle

Adversaries on macOS may execute malicious payloads by placing a malicious dynamic library (dylib) in a path that a victim application searches at runtime. The macOS dynamic linker searches paths in order: @rpath (relative run-path), @loader_path, @executable_path, and standard system paths (/usr/lib, /System/Library). If an application references a dylib with a weak link (LC_LOAD_WEAK_DYLIB) and the dylib does not exist, an adversary can plant a malicious dylib with the correct name at the expected path. The Empire post-exploitation framework includes modules specifically for scanning and exploiting dylib hijacking vulnerabilities.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.004 Dylib Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1574/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule macos_dylib_hijacking_suspicious_path {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of .dylib files in macOS paths commonly abused for dylib hijacking (T1574.004). Covers @rpath-adjacent directories including /tmp, /var/folders, and user Library paths where adversaries plant malicious dynamic libraries."
    mitre_attack_tactic = "Privilege Escalation, Persistence, Defense Evasion"
    mitre_attack_technique = "T1574.004"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "FILE_CREATION" or $e.metadata.event_type = "FILE_MODIFICATION"
    $e.principal.asset.platform_software.platform = "LINUX"
    re.regex($e.target.file.full_path, `\.dylib$`)
    (
      re.regex($e.target.file.full_path, `^/tmp/`) or
      re.regex($e.target.file.full_path, `^/private/tmp/`) or
      re.regex($e.target.file.full_path, `^/var/folders/`) or
      re.regex($e.target.file.full_path, `^/Users/[^/]+/Library/`) or
      re.regex($e.target.file.full_path, `^/Users/[^/]+/Library/Application Support/`)
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting suspicious .dylib file writes in macOS directories associated with dylib hijacking exploitation. Monitors FILE_CREATION and FILE_MODIFICATION UDM events targeting paths in /tmp, /private/tmp, /var/folders, and user-owned Library directories where adversaries can plant libraries to intercept weak dylib references.

Data Sources

macOS Endpoint telemetry via Chronicle forwarderGoogle Security Operations (Chronicle) macOS file events

Required Tables

UDM Events (FILE_CREATION, FILE_MODIFICATION)

False Positives & Tuning

  • Legitimate macOS software installers (pkg-based or DMG drag-install) that extract .dylib components to user Library paths during first-run setup
  • CI/CD pipelines or automated build agents running on macOS that produce .dylib build artifacts in /tmp or /var/folders
  • macOS system frameworks and OS updates writing or replacing dylibs in paths matched by the user Library pattern
Download portable Sigma rule (.yml)

Other platforms for T1574.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Vulnerable Applications Using otool

    Expected signal: Process creation event for otool. No file creation events generated. This is a read-only reconnaissance action. macOS audit logs (if enabled) would show the file read operations.

  2. Test 2Create Malicious Dylib in @rpath Location

    Expected signal: File creation event for .dylib file in user Library path. Process creation events for gcc (if installed). The dylib file will appear as unsigned in code signing checks (codesign -v ~/Library/test-hijack/libtest.dylib).

  3. Test 3Verify DYLD Environment Variable Propagation

    Expected signal: Process creation event for ls with DYLD_PRINT_LIBRARIES environment variable set. The output shows which dylibs ls loads. macOS SIP (System Integrity Protection) may suppress DYLD_* variables for protected binaries.

Last updated: 2026-04-21 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1574.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.006Dynamic Linker HijackingT1574.001DLLT1055Process InjectionT1036.005Match Legitimate Resource Name or LocationT1548Abuse Elevation Control Mechanism

Same Tactic: Persistence

Popular Detections