DET0152 Detection Strategy for Hijack Execution Flow: Dylib Hijacking

Item	Value
ID	DET0152
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1574.004 (Dylib Hijacking)

Analytics

macOS

AN0435

Detection focuses on adversaries placing or modifying malicious dylibs in locations searched by legitimate applications. From the defender’s perspective, observable patterns include unexpected creation or modification of dylib files in application bundle paths, unusual module loads by processes compared to historical baselines, and execution of applications loading dylibs from suspicious directories (e.g., /tmp, user-controlled paths). Correlation across file system changes, process execution, and module loads provides high-fidelity detection.

Log Sources

Data Component	Name	Channel
Module Load (DC0016)	macos:unifiedlog	process execution events with dylib load activity
File Creation (DC0039)	macos:unifiedlog	create/modify dylib files in monitored directories
File Modification (DC0061)	macos:unifiedlog	replace existing dylibs

Mutable Elements

Field	Description
MonitoredDirectories	Application bundle directories (e.g., /Applications/*/Contents/MacOS, /Library/Frameworks). Adversaries may use non-standard paths like /tmp.
BaselineDylibs	Historical record of dylibs typically loaded by applications. Deviations should be flagged.
CorrelationWindow	Timeframe to correlate dylib file modification with subsequent process execution and module loads.