AN0054: Analytic 0054
A process loads a non-system .dylib/.so via dyld (dlopen/dlsym) from user-writable locations (~/Library, /tmp) or after the library was recently created/downloaded, often followed by network egress or persistence.
Analyst context for executives and security teams
This analytic matters because unexpected macOS processes loading non-system dynamic libraries from user-writable locations such as ~/Library or /tmp can be a high-signal sign that software execution has moved outside normal application packaging and system library paths. For leaders, the decision value is whether the organization can prove it sees risky library-loading behavior on macOS endpoints before it is followed by outbound network activity or persistence.
Executive priority
Prioritize this as a macOS endpoint visibility and response-readiness question: do security teams collect enough process, library-load, file-creation, download, network, and persistence evidence to explain why a non-system .dylib or .so was loaded from a user-writable path? This supports incident triage, audit evidence for endpoint monitoring, and control prioritization for managed detection and response programs covering macOS fleets.
Technical view
Validate coverage for macOS processes that load .dylib or .so files through dyld-related activity such as dlopen/dlsym when the library path is outside expected system locations, especially under ~/Library or /tmp, or when the library was recently created or downloaded. Because the official object does not provide a detection query or tactic mapping, teams should treat this as an analytic design requirement: correlate library-load events with file creation/download timing, parent process context, code-signing or provenance where available, subsequent network egress, and nearby persistence evidence.
Likely telemetry
- macOS process execution events with parent/child process context
- Dynamic library load events or endpoint telemetry showing loaded .dylib/.so paths
- File creation or modification events for libraries in user-writable locations such as ~/Library and /tmp
- Download or quarantine/provenance metadata where available
- Network connection or egress telemetry following the library load
Detection direction
- Build or validate detections that focus on non-system .dylib/.so loads from user-writable paths rather than all dynamic library loads, which may be too noisy.
- Correlate the library load with recent creation or download of the same file to improve signal quality.
- Increase severity when suspicious path context is followed by network egress or persistence-related activity, as described in the analytic.
- Tune known-good developer tools, enterprise software updaters, and legitimate applications that may load libraries from user space to reduce false positives.
- Check for blind spots in macOS endpoint telemetry: many environments collect process starts but not library-load details or file provenance.
Mitigation priorities
- Ensure macOS endpoints are enrolled in telemetry capable of capturing process, file, library-load, network, and persistence-relevant events.
- Restrict or monitor execution and library loading from broadly user-writable locations where operationally feasible.
- Harden endpoint controls around downloaded files and user-writable directories, supported by policy and exception management.
- Use incident response playbooks that preserve the loaded library, originating process, download/provenance evidence, and any follow-on network or persistence artifacts.
- Document monitoring scope and known telemetry gaps as compliance and audit evidence for macOS endpoint coverage.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS only. It describes suspicious dynamic library loading via dyld mechanisms from user-writable locations or recently created/downloaded libraries, often followed by network egress or persistence. There are no supplied relationships, tactic mappings, aliases, labels, or official detection query, so the take focuses on validation and operationalization rather than a specific ATT&CK technique chain.
Assessment is limited to the official STIX fields and external reference provided for AN0054. No active exploitation, attribution, prevalence, specific tool behavior, or guaranteed detection coverage is implied. Local macOS software inventory, endpoint telemetry capability, and baselining are required to determine alert quality.
Analytic 0054
A process loads a non-system .dylib/.so via dyld (dlopen/dlsym) from user-writable locations (~/Library, /tmp) or after the library was recently created/downloaded, often followed by network egress or persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d0fd0ec7fb83… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0054Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.