Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0435: Analytic 0435

Detection focuses on adversaries placing or modifying malicious dylibs in locations searched by legitimate applications. From the defender’s perspective, observable patterns include unexpected creation or modification of dylib files in application bundle paths, unusual module loads by processes compared to historical baselines, and execution of applications loading dylibs from suspicious directories (e.g., /tmp, user-controlled paths). Correlation across file system changes, process execution, and module loads provides high-fidelity detection.

EnterpriseAN0435AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting suspicious macOS dynamic library activity: malicious dylib files being placed or changed where legitimate applications may load them. For leaders, the practical issue is trust in endpoint execution: if attackers can influence what code a normal application loads, malicious activity may appear to come from expected software. Coverage depends on whether the organization collects file-change, process execution, and module-load evidence on macOS systems.

Executive priority

Prioritize this where macOS endpoints support business-critical users, privileged administrators, developers, or regulated workflows. The decision value is to verify whether endpoint monitoring can prove which libraries applications load and whether unexpected dylib changes are investigated. This supports incident response readiness, audit evidence for endpoint control effectiveness, and prioritization of macOS detection engineering rather than assuming Windows-centric telemetry is sufficient.

Technical view

Validate detection logic around unexpected creation or modification of .dylib files in application bundle paths, applications loading dylibs from suspicious locations such as /tmp or user-controlled directories, and module-load behavior that differs from historical baselines. Because no ATT&CK tactic or relationship context is supplied, treat this as a macOS detection analytic for suspicious library placement/loading rather than tying it to a specific campaign or intrusion phase. Highest fidelity comes from correlating file system events, process execution, and module loads for the same host and time window.

Likely telemetry

  • macOS file creation and modification events for dylib files
  • File path context for application bundles and user-controlled directories
  • Process execution events for applications loading libraries
  • Module or library load telemetry showing dylib path and loading process
  • Historical baselines of normal module loads per application or host

Detection direction

  • Confirm macOS telemetry includes both file modification events and module-load visibility; process logs alone may miss the key behavior.
  • Baseline common dylib load paths for legitimate applications, then alert on new or unusual library paths, especially temporary or user-writable locations.
  • Correlate suspicious dylib creation or modification with subsequent execution of an application that loads that dylib.
  • Tune for legitimate software updates, developer activity, and application installation workflows that may create or modify dylibs.
  • Avoid overclaiming coverage if module-load telemetry is unavailable; file events without load evidence may be lower confidence.

Mitigation priorities

  • Ensure macOS endpoint monitoring is deployed and configured to capture relevant file, process, and module-load evidence.
  • Restrict unnecessary write access to application bundle paths and other sensitive locations where feasible.
  • Maintain controlled software installation and update processes so legitimate dylib changes are explainable.
  • Use incident response procedures that preserve file metadata, process context, and loaded-module evidence when suspicious dylib activity is found.
  • Review macOS detection coverage separately from Windows/Linux assumptions, especially for high-risk user groups.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, AN0435, for macOS dylib placement or modification in locations searched by legitimate applications. No relationships, tactics, mitigations, procedures, or adversary context were supplied, so this take focuses on defensive validation and telemetry requirements rather than threat attribution or campaign behavior.

Official detection logic is not provided, and no relationship context is supplied. Local baselines are required to distinguish malicious dylib activity from normal application updates, development workflows, or administrative software changes.

Official MITRE ATT&CK definition

Analytic 0435

Detection focuses on adversaries placing or modifying malicious dylibs in locations searched by legitimate applications. From the defender’s perspective, observable patterns include unexpected creation or modification of dylib files in application bundle paths, unusual module loads by processes compared to historical baselines, and execution of applications loading dylibs from suspicious directories (e.g., /tmp, user-controlled paths). Correlation across file system changes, process execution, and module loads provides high-fidelity detection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
41415a6ea54e0077...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 41415a6ea54e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0435
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use