Description
Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.
Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X)
Platforms
Mitigations (3)
AuditM1047
Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn't included as part of an update, it should be investigated.
Execution PreventionM1038
Allow applications via known hashes.
Code SigningM1045
Enforce that all binaries be signed by the correct Apple Developer IDs.
References
- Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.
- Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.
Frequently Asked Questions
What is T1546.006 (LC_LOAD_DYLIB Addition)?
T1546.006 is a MITRE ATT&CK technique named 'LC_LOAD_DYLIB Addition'. It belongs to the Privilege Escalation, Persistence tactic(s). Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operation...
How can T1546.006 be detected?
Detection of T1546.006 (LC_LOAD_DYLIB Addition) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1546.006?
There are 3 documented mitigations for T1546.006. Key mitigations include: Audit, Execution Prevention, Code Signing.
Which threat groups use T1546.006?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.