The sub-techniques beta is now live! Read the release blog post for more info.


Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies [1]. There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time [2].

ID: T1161
Tactic: Persistence
Platform: macOS
Permissions Required: User
Data Sources: Binary file metadata, Process monitoring, Process command-line parameters, File monitoring
Version: 1.0
Created: 14 December 2017
Last Modified: 18 July 2019


Mitigation Description

Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.

Code Signing

Enforce that all binaries be signed by the correct Apple Developer IDs.

Execution Prevention

Whitelist applications via known hashes.


Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.