The sub-techniques beta is now live! Read the release blog post for more info.

LC_MAIN Hijacking

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD [1]. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different [2]. By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

ID: T1149
Tactic: Defense Evasion
Platform: macOS
Permissions Required: User, Administrator
Data Sources: Binary file metadata, Malware reverse engineering, Process monitoring
Defense Bypassed: Application whitelisting, Process whitelisting, Whitelisting by file name or path
Version: 1.0
Created: 14 December 2017
Last Modified: 18 July 2019


Mitigation Description
Code Signing

Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.


Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.