T1546.006 LC_LOAD_DYLIB Addition Mappings

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.

Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1546.006 LC_LOAD_DYLIB Addition
CM-6 Configuration Settings Protects T1546.006 LC_LOAD_DYLIB Addition
CM-7 Least Functionality Protects T1546.006 LC_LOAD_DYLIB Addition
CM-8 System Component Inventory Protects T1546.006 LC_LOAD_DYLIB Addition
IA-9 Service Identification and Authentication Protects T1546.006 LC_LOAD_DYLIB Addition
SI-10 Information Input Validation Protects T1546.006 LC_LOAD_DYLIB Addition
SI-2 Flaw Remediation Protects T1546.006 LC_LOAD_DYLIB Addition
SI-3 Malicious Code Protection Protects T1546.006 LC_LOAD_DYLIB Addition
SI-4 System Monitoring Protects T1546.006 LC_LOAD_DYLIB Addition
SI-7 Software, Firmware, and Information Integrity Protects T1546.006 LC_LOAD_DYLIB Addition
SR-11 Component Authenticity Protects T1546.006 LC_LOAD_DYLIB Addition
SR-4 Provenance Protects T1546.006 LC_LOAD_DYLIB Addition
SR-5 Acquisition Strategies, Tools, and Methods Protects T1546.006 LC_LOAD_DYLIB Addition
SR-6 Supplier Assessments and Reviews Protects T1546.006 LC_LOAD_DYLIB Addition
attribute.integrity.variety.Alter behavior Influence or alter human behavior related-to T1546.006 Event Triggered Execution: LC_LOAD_DYLIB Addition