DET0216 Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS

Item	Value
ID	DET0216
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.006 (LC_LOAD_DYLIB Addition)

Analytics

macOS

AN0607

Detection focuses on unauthorized modification of Mach-O binaries to include LC_LOAD_DYLIB headers pointing to malicious dylibs. Behavior is identified via a chain of file metadata changes, removal of code signatures, and subsequent anomalous dylib loads at runtime. Correlation of file changes with lack of authorized updates and process memory mapping of unrecognized or unsigned libraries is crucial.

Log Sources

Data Component	Name	Channel
Module Load (DC0016)	macos:unifiedlog	Process memory maps new dylib (dylib_load event)
File Modification (DC0061)	macos:unifiedlog	Mach-O binary modified or LC_LOAD_DYLIB segment inserted
File Metadata (DC0059)	macos:unifiedlog	Code signature validation fails or is absent post-binary modification

Mutable Elements

Field	Description
TimeWindow	Correlates binary modification and dylib load within a defined time interval (e.g., 1 hour)
DylibPathRegex	Regular expression to match known malicious or uncommon library paths
UnsignedDylibThreshold	Number of unsigned or unrecognized dylibs mapped into memory per process
UserContext	Scope monitoring to non-admin users or sensitive system directories