title: LC_MAIN Hijacking (T1149)
id: df00tech-t1149
status: experimental
description: "Adversaries may hijack the LC_MAIN Mach-O load command in macOS binaries to redirect initial execution flow to malicious code before returning control to the legitimate entry point. The LC_MAIN header, introduced in OS X 10.8, defines the entry point offset for a Mach-O executable. By patching this offset to point at an injected code section or cave, an attacker can execute arbitrary code under the identity of a trusted binary, bypassing application whitelisting controls that validate only the file path or name. This technique has been deprecated in the MITRE ATT&CK framework but remains relevant for forensic analysis of older macOS malware samples and legacy systems."
references:
  - https://attack.mitre.org/techniques/T1149/
  - https://df00tech.com/detections/T1149
author: df00tech
date: 2026/04/18
tags:
  - attack.t1149
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security researchers and reverse engineers routinely use otool, jtool, and vtool with -l flags to inspect Mach-O load commands for legitimate analysis"
  - "Software build pipelines (Xcode, CMake, conan) invoke install_name_tool and lipo against application binaries during compilation and packaging"
  - macOS application notarization and code signing workflows use codesign and related tools against .app bundle executables
  - "Third-party software managers (Homebrew, MacPorts) legitimately write to /usr/local/bin and /opt/ during package installation and upgrades"
  - System software updates via softwareupdate and MRT modify binaries in protected system paths
level: high