ATT&CK coverage › Technique

Hijack Execution Flow: Dylib Hijacking `T1574.004`

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.

Events covered

1 catalog event are tagged with this technique by at least one rule.

Provider	Event ID	Title
Security-Auditing	4688	A new process has been created.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Kusto Query Language 1 rule

Powershell Empire Cmdlets Executed in Command Line 1 event, 0 indicators, 0 exclusions

Hijack Execution Flow: Dylib Hijacking T1574.004

Events covered

Rules under this technique

Kusto Query Language 1 rule

Hijack Execution Flow: Dylib Hijacking `T1574.004`