Skip to content

T1546.006 LC_LOAD_DYLIB Addition

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.2 There are tools available to perform these changes.

Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.1

Item Value
ID T1546.006
Sub-techniques T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016
Tactics TA0004, TA0003
Platforms macOS
Permissions required User
Version 1.0
Created 24 January 2020
Last Modified 20 April 2022

Mitigations

ID Mitigation Description
M1047 Audit Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.
M1045 Code Signing Enforce that all binaries be signed by the correct Apple Developer IDs.
M1038 Execution Prevention Allow applications via known hashes.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
DS0011 Module Module Load
DS0009 Process Process Creation

References

  1. Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017. 

  2. Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.