Esc

Dylib Hijacking - T1574.004

(ATT&CK® Technique)

Definition

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1574004["Dylib Hijacking"] --> |may-create| SharedLibraryFile["Shared Library File"]; class T1574004 OffensiveTechniqueNode;
        class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
        click T1574004 href "/offensive-technique/attack/T1574.004/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1574004["Dylib Hijacking"] --> |may-modify| SharedLibraryFile["Shared Library File"]; class T1574004 OffensiveTechniqueNode;
        class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
        click T1574004 href "/offensive-technique/attack/T1574.004/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";                          FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1574004["Dylib Hijacking"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                            FileEviction["File Eviction"] -->
          | deletes | SharedLibraryFile["Shared Library File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1574004["Dylib Hijacking"] ;
          class FileEviction DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                            DecoyFile["Decoy File"] -->
          | spoofs | SharedLibraryFile["Shared Library File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1574004["Dylib Hijacking"] ;
          class DecoyFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                            LocalFilePermissions["Local File Permissions"] -->
          | restricts | SharedLibraryFile["Shared Library File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1574004["Dylib Hijacking"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                            FileEncryption["File Encryption"] -->
          | encrypts | SharedLibraryFile["Shared Library File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1574004["Dylib Hijacking"] ;
          class FileEncryption DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                            RestoreFile["Restore File"] -->
          | restores | SharedLibraryFile["Shared Library File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1574004["Dylib Hijacking"] ;
          class RestoreFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                            FileAnalysis["File Analysis"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1574004["Dylib Hijacking"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";  RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | SharedLibraryFile["Shared Library File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1574004["Dylib Hijacking"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";

json