Detect Dylib Hijacking in CrowdStrike LogScale
Adversaries on macOS may execute malicious payloads by placing a malicious dynamic library (dylib) in a path that a victim application searches at runtime. The macOS dynamic linker searches paths in order: @rpath (relative run-path), @loader_path, @executable_path, and standard system paths (/usr/lib, /System/Library). If an application references a dylib with a weak link (LC_LOAD_WEAK_DYLIB) and the dylib does not exist, an adversary can plant a malicious dylib with the correct name at the expected path. The Empire post-exploitation framework includes modules specifically for scanning and exploiting dylib hijacking vulnerabilities.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.004 Dylib Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1574/004/
LogScale Detection Query
#event_simpleName=FileOpenInfo OR #event_simpleName=PeFileWritten OR #event_simpleName=FileCreated
| TargetFileName = /\.dylib$/i
| TargetFilePath = /(\/tmp\/|\/private\/tmp\/|\/var\/folders\/|\/Users\/.+\/Library\/)/ case=insensitive
| eval SuspiciousPathType = case(
TargetFilePath = /^\/tmp\// OR TargetFilePath = /^\/private\/tmp\//, "TempPath",
TargetFilePath = /^\/var\/folders\//, "VarFolders",
TargetFilePath = /^\/Users\/.+\/Library\/Application Support\//, "AppSupportPath",
TargetFilePath = /^\/Users\/.+\/Library\//, "UserLibraryPath",
true(), "Other"
)
| groupBy([ComputerName, UserName, TargetFileName, TargetFilePath, SuspiciousPathType, ImageFileName], function=count(1, as=EventCount))
| sort(EventCount, order=desc)Detects creation of .dylib files in macOS paths exploitable for dylib hijacking using CrowdStrike Falcon file write telemetry. Identifies PeFileWritten and FileCreated events where the target filename ends in .dylib and the target path includes /tmp, /var/folders, or user Library directories commonly targeted by adversaries exploiting weak dylib references.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor may generate events when macOS system processes like softwareupdate or installd write dylibs to user-accessible Library paths during legitimate OS patching
- Software development tools (Xcode, CMake, Meson) writing compiled dylib outputs to /var/folders DerivedData or /tmp staging directories
- Application sandboxing mechanisms and container runtimes that unpack native library dependencies into user-owned Library paths at launch time
Other platforms for T1574.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Vulnerable Applications Using otool
Expected signal: Process creation event for otool. No file creation events generated. This is a read-only reconnaissance action. macOS audit logs (if enabled) would show the file read operations.
- Test 2Create Malicious Dylib in @rpath Location
Expected signal: File creation event for .dylib file in user Library path. Process creation events for gcc (if installed). The dylib file will appear as unsigned in code signing checks (codesign -v ~/Library/test-hijack/libtest.dylib).
- Test 3Verify DYLD Environment Variable Propagation
Expected signal: Process creation event for ls with DYLD_PRINT_LIBRARIES environment variable set. The output shows which dylibs ls loads. macOS SIP (System Integrity Protection) may suppress DYLD_* variables for protected binaries.
References (6)
- https://attack.mitre.org/techniques/T1574/004/
- https://objective-see.com/blog/blog_0x46.html
- https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
- https://malwareunicorn.org/workshops/macos_dylib_injection.html#5
- https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.004/T1574.004.md
Unlock Pro Content
Get the full detection package for T1574.004 including response playbook, investigation guide, and atomic red team tests.