Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0391: Analytic 0391

Detects DYLD_INSERT_LIBRARIES abuse to hook credential-sensitive applications by correlating process spawns with unauthorized library injection and monitoring changes to the __TEXT segment (code) of credential handling binaries.

EnterpriseAN0391AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a macOS abuse pattern where dynamic library injection is used against credential-sensitive applications. For leaders, the practical issue is not just malware detection; it is whether the organization can see when trusted credential-handling software is being altered or hooked in a way that could undermine identity assurance and incident response confidence.

Executive priority

Prioritize this as a macOS identity and endpoint visibility validation item. Security leaders should ask whether SOC and incident response teams can prove they collect enough macOS process, environment, library-loading, and binary integrity evidence to investigate unauthorized DYLD_INSERT_LIBRARIES use against credential-related applications. This can support control assurance, audit evidence, and faster decisions during suspected credential compromise, but the supplied ATT&CK object does not indicate active exploitation, attribution, or a specific tactic.

Technical view

AN0391 is a macOS detection analytic for identifying abuse of DYLD_INSERT_LIBRARIES by correlating process spawns with unauthorized library injection and monitoring changes to the __TEXT code segment of credential-handling binaries. Because no official detection logic is provided, teams should validate the data model and correlation approach locally: identify credential-sensitive applications, define what authorized library injection looks like, monitor process creation context and relevant environment variables, and compare binary/code segment integrity against known-good baselines.

Likely telemetry

  • macOS process creation events, including parent/child process context
  • Process environment data where available, especially DYLD_INSERT_LIBRARIES presence or related dynamic loader context
  • Dynamic library load or injection-related endpoint telemetry
  • File integrity or binary integrity monitoring for credential-handling applications
  • Code segment or executable image change evidence for monitored binaries

Detection direction

  • Confirm whether macOS telemetry includes enough process spawn and environment-variable detail to observe DYLD_INSERT_LIBRARIES usage.
  • Build or validate an allowlist of legitimate library injection or development activity to reduce false positives.
  • Correlate suspicious process execution with unauthorized library injection and integrity changes to credential-handling binaries rather than alerting on a single weak signal alone.
  • Define which local applications are credential-sensitive; ATT&CK does not provide that inventory for the environment.
  • Test visibility for changes to the __TEXT segment or equivalent binary integrity indicators on protected macOS assets.

Mitigation priorities

  • Establish a baseline of approved credential-handling binaries and authorized library-loading behavior on macOS systems.
  • Harden endpoint monitoring and integrity controls around applications that process credentials.
  • Restrict unnecessary local administrative capability and unauthorized software modification paths where operationally feasible.
  • Ensure incident response playbooks include macOS evidence collection for process context, environment variables, loaded libraries, and binary integrity state.
  • Use detection validation results to prioritize endpoint tooling or configuration improvements where required telemetry is missing.
Analyst notes and limits

The object is a detection analytic, not a technique or procedure. It is scoped to macOS and describes a correlation concept for DYLD_INSERT_LIBRARIES abuse against credential-sensitive applications. No tactics, relationships, aliases, labels, or official detection query were supplied, so local implementation requires environment-specific application inventory, baselines, and telemetry validation.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish adversary use, prevalence, impact, or existing coverage. No relationship context or detection logic was provided, and the ATT&CK object does not identify specific products, event IDs, or mitigation controls.

Official MITRE ATT&CK definition

Analytic 0391

Detects DYLD_INSERT_LIBRARIES abuse to hook credential-sensitive applications by correlating process spawns with unauthorized library injection and monitoring changes to the __TEXT segment (code) of credential handling binaries.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c6b4aa7b0addd8a6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c6b4aa7b0add…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0391
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use