Register to stream ATT&CKcon 2.0 October 29-30

LC_MAIN Hijacking

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD [1]. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different [2]. By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

ID: T1149
Tactic: Defense Evasion
Platform: macOS
Permissions Required: User, Administrator
Data Sources: Binary file metadata, Malware reverse engineering, Process monitoring
Defense Bypassed: Application whitelisting, Process whitelisting, Whitelisting by file name or path
Version: 1.0


Mitigation Description
Code Signing Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.


Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.