Esc

LC_LOAD_DYLIB Addition - T1546.006

(ATT&CK® Technique)

Definition

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1546006["LC_LOAD_DYLIB Addition"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1546006 OffensiveTechniqueNode;
        class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
        click T1546006 href "/offensive-technique/attack/T1546.006/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";             FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1546006["LC_LOAD_DYLIB Addition"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | ExecutableBinary["Executable Binary"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1546006["LC_LOAD_DYLIB Addition"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1546006["LC_LOAD_DYLIB Addition"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1546006["LC_LOAD_DYLIB Addition"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";                           DecoyFile["Decoy File"] -->
          | spoofs | ExecutableBinary["Executable Binary"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1546006["LC_LOAD_DYLIB Addition"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";              LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableBinary["Executable Binary"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-harden | T1546006["LC_LOAD_DYLIB Addition"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
          | encrypts | ExecutableBinary["Executable Binary"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1546006["LC_LOAD_DYLIB Addition"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableBinary["Executable Binary"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1546006["LC_LOAD_DYLIB Addition"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";                                      FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableBinary["Executable Binary"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1546006["LC_LOAD_DYLIB Addition"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";              ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableBinary["Executable Binary"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1546006["LC_LOAD_DYLIB Addition"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
          | restores | ExecutableBinary["Executable Binary"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1546006["LC_LOAD_DYLIB Addition"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableBinary ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";

json