Detection focuses on unauthorized modification of Mach-O binaries to include LC_LOAD_DYLIB headers pointing to malicious dylibs. Behavior is identified via a chain of file metadata changes, removal of code signatures, and subsequent anomalous dylib loads at runtime. Correlation of file changes with lack of authorized updates and process memory mapping of unrecognized or unsigned libraries is crucial.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | macos:unifiedlog | Process memory maps new dylib (dylib_load event) |
| File Modification (DC0061) | macos:unifiedlog | Mach-O binary modified or LC_LOAD_DYLIB segment inserted |
| File Metadata (DC0059) | macos:unifiedlog | Code signature validation fails or is absent post-binary modification |
| Field | Description |
|---|---|
| TimeWindow | Correlates binary modification and dylib load within a defined time interval (e.g., 1 hour) |
| DylibPathRegex | Regular expression to match known malicious or uncommon library paths |
| UnsignedDylibThreshold | Number of unsigned or unrecognized dylibs mapped into memory per process |
| UserContext | Scope monitoring to non-admin users or sensitive system directories |