title: Dylib Hijacking (T1574.004)
id: df00tech-t1574-004
status: experimental
description: "Adversaries on macOS may execute malicious payloads by placing a malicious dynamic library (dylib) in a path that a victim application searches at runtime. The macOS dynamic linker searches paths in order: @rpath (relative run-path), @loader_path, @executable_path, and standard system paths (/usr/lib, /System/Library). If an application references a dylib with a weak link (LC_LOAD_WEAK_DYLIB) and the dylib does not exist, an adversary can plant a malicious dylib with the correct name at the expected path. The Empire post-exploitation framework includes modules specifically for scanning and exploiting dylib hijacking vulnerabilities."
references:
  - https://attack.mitre.org/techniques/T1574/004/
  - https://df00tech.com/detections/T1574.004
author: df00tech
date: 2026/04/21
tags:
  - attack.t1574.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software installation processes legitimately creating dylibs in Application Support or Library directories
  - Homebrew and macOS package managers creating dylibs in user-accessible paths
  - Developer builds and Xcode project compilation dropping dylibs in temp directories
  - macOS system updates temporarily staging dylibs in writable directories before installation
level: high