Detection Strategy for Hijack Execution Flow: Dylib Hijacking

Technique Detected: Dylib Hijacking | T1574.004

ID: DET0152

Domains: Enterprise

Analytics: AN0435

Version: 1.0

Created: 21 October 2025

Last Modified: 21 October 2025

Version Permalink

Live Version

Analytics

macOS

AN0435

Detection focuses on adversaries placing or modifying malicious dylibs in locations searched by legitimate applications. From the defender’s perspective, observable patterns include unexpected creation or modification of dylib files in application bundle paths, unusual module loads by processes compared to historical baselines, and execution of applications loading dylibs from suspicious directories (e.g., /tmp, user-controlled paths). Correlation across file system changes, process execution, and module loads provides high-fidelity detection.

Log Sources

Data Component	Name	Channel
Module Load (DC0016)	macos:unifiedlog	process execution events with dylib load activity
File Creation (DC0039)	macos:unifiedlog	create/modify dylib files in monitored directories
File Modification (DC0061)	macos:unifiedlog	replace existing dylibs

Mutable Elements

Field	Description
MonitoredDirectories	Application bundle directories (e.g., /Applications/*/Contents/MacOS, /Library/Frameworks). Adversaries may use non-standard paths like /tmp.
BaselineDylibs	Historical record of dylibs typically loaded by applications. Deviations should be flagged.
CorrelationWindow	Timeframe to correlate dylib file modification with subsequent process execution and module loads.