Hijack Execution Flow: Dylib Hijacking

Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths.

A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. [1] [2]

If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.

ID: T1574.004
Sub-technique of:  T1574
Tactics: Persistence, Privilege Escalation, Defense Evasion
Platforms: macOS
Data Sources: File monitoring, Process monitoring
Defense Bypassed: Application control
CAPEC ID: CAPEC-471
Version: 1.0
Created: 16 March 2020
Last Modified: 16 September 2020

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.

Detection

Objective-See's Dylib Hijacking Scanner can be used to detect potential cases of dylib hijacking. Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process.

References