Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1210: Analytic 1210

Detection centers on DYLD_INSERT_LIBRARIES and DYLD_LIBRARY_PATH abuse. Defender perspective: monitor for modification of these environment variables in shell or plist files, file creation of dylibs in user-controlled paths, and correlation of environment variable usage with unexpected module loads by user applications. Suspicious indicators include processes with DYLD_INSERT_LIBRARIES set, execution of applications loading untrusted dylibs, and anomalies in module load history.

EnterpriseAN1210AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting macOS abuse of dynamic library environment variables, especially DYLD_INSERT_LIBRARIES and DYLD_LIBRARY_PATH. For leaders, the practical issue is whether the organization can detect when user-controlled settings or files cause trusted applications to load unexpected code. That matters for endpoint resilience, incident scoping, and proving that macOS monitoring covers more than basic process execution.

Executive priority

Prioritize this where macOS endpoints support privileged users, developers, administrators, or business-critical workflows. The key business question is whether endpoint telemetry can show changes to shell or plist configuration, creation of dynamic libraries in user-writable locations, and unexpected module loads by user applications. This is a control-validation topic for SOC readiness and incident response evidence, not a claim of active exploitation or specific actor activity.

Technical view

Validate macOS visibility for DYLD_INSERT_LIBRARIES and DYLD_LIBRARY_PATH being set or modified in shell configuration and plist files. Correlate those events with creation of dylib files in user-controlled paths and subsequent application executions that load unexpected or untrusted dylibs. Because no tactic or relationship context is supplied, treat this as a detection analytic focused on macOS library-load behavior rather than a complete attack scenario.

Likely telemetry

  • macOS process execution events with environment variable context where available
  • File modification events for shell configuration files and plist files
  • File creation events for dylib files in user-controlled directories
  • Module or library load telemetry for user applications
  • Endpoint inventory or baseline data for expected application library load behavior

Detection direction

  • Confirm whether EDR or macOS logging captures process environment variables, not just command lines.
  • Alert or hunt for processes launched with DYLD_INSERT_LIBRARIES or DYLD_LIBRARY_PATH set, especially when tied to user applications.
  • Correlate environment variable changes with new dylib creation in user-writable paths and unexpected module loads.
  • Baseline legitimate developer, testing, or administrative workflows that may use DYLD variables to reduce false positives.
  • Review blind spots where module-load telemetry is unavailable or where plist and shell file monitoring is incomplete.

Mitigation priorities

  • Limit unnecessary write access to locations that influence application execution or library loading.
  • Harden macOS endpoint monitoring to include shell files, plist files, dylib creation, and module-load evidence.
  • Establish approved baselines for developer or administrative use of DYLD-related environment variables.
  • Ensure incident response playbooks collect affected environment settings, related plist or shell file changes, created dylibs, and process/module history.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS and specifically names DYLD_INSERT_LIBRARIES, DYLD_LIBRARY_PATH, shell or plist modification, dylib creation in user-controlled paths, and unexpected module loads by user applications. No tactic, technique relationship, procedure example, or official detection logic was supplied.

This take is limited to the official fields and the single external reference provided. It does not establish prevalence, attribution, active exploitation, impact, or guaranteed detectability. Local macOS telemetry quality and application baselines are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 1210

Detection centers on DYLD_INSERT_LIBRARIES and DYLD_LIBRARY_PATH abuse. Defender perspective: monitor for modification of these environment variables in shell or plist files, file creation of dylibs in user-controlled paths, and correlation of environment variable usage with unexpected module loads by user applications. Suspicious indicators include processes with DYLD_INSERT_LIBRARIES set, execution of applications loading untrusted dylibs, and anomalies in module load history.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
aeb6594cb75ff1ed...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle aeb6594cb75f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1210
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use