Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0216: Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS

This detection strategy matters because it is tied to a macOS persistence and privilege-escalation behavior: adding or modifying LC_LOAD_DYLIB load command...

EnterpriseDET0216Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it is tied to a macOS persistence and privilege-escalation behavior: adding or modifying LC_LOAD_DYLIB load commands in Mach-O binaries so a tainted binary loads additional dynamic library content at execution time. For leaders, the practical issue is trust in endpoint application integrity: if critical macOS binaries or business applications can be altered without being noticed, incident responders may miss a durable foothold even when user accounts or startup items look clean.

Executive priority

Prioritize this as a macOS endpoint integrity and incident-readiness question rather than a standalone alert rule. Security leaders should ask whether managed detection, EDR, and compliance evidence can show when Mach-O binaries change, whether those changes are authorized, and whether responders can quickly distinguish approved software updates from suspicious persistence. This is most relevant for organizations with meaningful macOS fleets, privileged engineering workstations, or sensitive applications where local persistence could affect business continuity or audit confidence.

Technical view

The supplied ATT&CK object is a detection strategy for LC_LOAD_DYLIB modification in Mach-O binaries and is related to T1546.006, LC_LOAD_DYLIB Addition, under persistence and privilege escalation on macOS. SOC and detection engineering teams should validate whether they can observe changes to Mach-O headers/load commands, correlate those changes with file write events and execution, and compare modified binaries against known-good baselines. Because the official detection text is not provided, local implementation should focus on defensible evidence: which binary changed, which dylib load reference was introduced or altered, when execution occurred afterward, and whether the change aligns with expected software installation or update activity.

Likely telemetry

  • macOS endpoint file modification events for Mach-O binaries
  • File integrity or baseline comparison data for application and executable paths
  • Binary metadata, hashes, and code-signing or notarization state where collected
  • Execution telemetry showing the modified binary running after the change
  • Process, user, and parent-process context around the file modification

Detection direction

  • Confirm coverage specifically for macOS systems, because the related ATT&CK technique platform is macOS even though the detection-strategy object itself does not list platforms.
  • Baseline trusted Mach-O binaries and alert on unexpected LC_LOAD_DYLIB additions or changes, especially when followed by execution of the modified binary.
  • Tune for legitimate software updates, developer build activity, and package installation workflows to reduce false positives.
  • Correlate header/load-command changes with the modifying process and user context; a header change alone may be less actionable without provenance and execution context.
  • Validate that EDR or file integrity tooling inspects binary structure, not only filename, path, or hash changes; otherwise this behavior may appear only as a generic file modification.

Mitigation priorities

  • Establish asset and ownership clarity for macOS endpoints so unexpected binary modifications can be triaged quickly.
  • Maintain trusted software distribution and update processes to create an authoritative baseline for legitimate binary changes.
  • Use endpoint controls and permissions that limit unauthorized modification of application and executable locations.
  • Collect and retain file integrity, process, and execution telemetry long enough to support incident reconstruction.
  • Include this behavior in macOS hardening, detection validation, and incident response playbooks for persistence and privilege-escalation scenarios.
Analyst notes and limits

ATT&CK provides the detection-strategy identifier DET0216 and the relationship to T1546.006, but no official description or detection logic in the supplied fields. The decision value is therefore in validating whether local macOS telemetry can prove binary integrity and post-change execution context. Treat this as a coverage assessment prompt for managed detection, IR readiness, and endpoint integrity monitoring.

This take is constrained to the supplied STIX fields, external reference, and relationship context. The detection-strategy object has no official description, no official detection text, no listed tactics, and no listed platforms; macOS, persistence, and privilege escalation are derived only from the related T1546.006 technique. No claims are made about active exploitation, actor use, prevalence, or guaranteed detection.

Official MITRE ATT&CK definition

Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546.006 LC_LOAD_DYLIB Addition Sub-technique This object detects LC_LOAD_DYLIB Addition.
Relationship explorer

All related ATT&CK context

detects · Technique T1546.006: LC_LOAD_DYLIB Addition Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8846e23952a03547...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8846e23952a0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0216
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use