title: LC_LOAD_DYLIB Addition (T1546.006)
id: df00tech-t1546-006
status: experimental
description: "Adversaries may establish persistence by executing malicious content triggered by the loading of a dynamically linked shared library. Mach-O binaries on macOS have a series of load commands that dictate how/when the binary is executed, including a set of libraries to load. The LC_LOAD_DYLIB command in a Mach-O binary tells macOS to load a specific dynamic library (.dylib) when that binary executes. Adversaries can add their own LC_LOAD_DYLIB load command to any Mach-O binary, causing their malicious library to be loaded whenever the modified binary is executed. This provides persistence that is triggered by the execution of legitimate binaries."
references:
  - https://attack.mitre.org/techniques/T1546/006/
  - https://df00tech.com/detections/T1546.006
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Developers legitimately modifying Mach-O binaries during build processes (install_name_tool is commonly used in Xcode build scripts to fix dylib paths)
  - Homebrew and MacPorts package managers that use install_name_tool to relocate dylib paths when installing packages
  - Codesigning workflows that modify binary metadata as part of CI/CD pipelines for macOS application development
  - Security researchers and reverse engineers using otool/jtool for binary analysis on their own machines
level: high