Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0435: Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking

DET0435 is a MITRE detection strategy object for Dynamic Linker Hijacking, a Linux and macOS execution behavior where adversaries may abuse dynamic linker...

EnterpriseDET0435Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0435 is a MITRE detection strategy object for Dynamic Linker Hijacking, a Linux and macOS execution behavior where adversaries may abuse dynamic linker environment variables or related files to cause a program to load attacker-controlled shared libraries. The business issue is not just malware execution; it is whether the organization can prove it would notice suspicious library-loading paths before they become stealthy persistence or execution events.

Executive priority

Prioritize this as a control-validation and visibility question for Linux and macOS estates: do SOC and IR teams have evidence of process launches, relevant environment variables, shared library loads, and changes to linker-related configuration? This matters for resilience because the behavior sits at execution and stealth, and weak telemetry can leave responders unable to explain how a payload ran or whether similar systems are exposed.

Technical view

Use the relationship to T1574.006 as the practical scope: validate monitoring on Linux and macOS for unusual dynamic linker influence, including LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS where observable. Because the ATT&CK detection strategy object provides no official detection text, teams should treat this as a detection engineering gap assessment rather than a ready-made analytic. Focus on correlating process start context, environment-variable values, absolute shared-library paths, parent process lineage, and file/configuration changes that influence dynamic linker behavior.

Likely telemetry

  • Process creation telemetry, including command line, parent process, user, and launch context
  • Process environment-variable capture where available, especially dynamic linker-related variables
  • Shared library load telemetry or endpoint events showing loaded library paths
  • File creation/modification telemetry for locations or files that influence dynamic linker loading
  • macOS and Linux endpoint security logs from EDR, audit frameworks, or host monitoring tools

Detection direction

  • Confirm whether Linux and macOS telemetry includes process environment variables; many environments collect process starts but not the environment block, creating a major blind spot.
  • Look for uncommon or unexpected dynamic linker-related variables associated with sensitive, privileged, service, or user-login processes.
  • Tune detections around context: developer tooling, testing harnesses, and legitimate application wrappers may use linker variables and can create false positives.
  • Correlate suspicious library paths with file provenance, recent creation/modification, user context, and parent process lineage rather than alerting only on variable names.
  • Validate whether detections cover both interactive shells and non-interactive execution paths such as services, launch mechanisms, or scheduled execution where available in local telemetry.

Mitigation priorities

  • Inventory Linux and macOS systems where dynamic linker environment-variable telemetry and library-load visibility are available versus missing.
  • Harden high-value servers and administrative workstations first, especially where unexpected library injection would affect privileged or business-critical processes.
  • Restrict write access to directories and files that could influence executable or shared-library loading for sensitive applications.
  • Use allowlisting, endpoint controls, and configuration management where appropriate to reduce unauthorized library placement or execution influence.
  • Document detection coverage and exceptions as audit evidence, including known legitimate uses that have been reviewed.
Analyst notes and limits

The supplied object is a detection strategy with no official description or detection content. The usable context comes from its relationship to ATT&CK technique T1574.006, Dynamic Linker Hijacking, which is associated with Linux and macOS and tactics of execution and stealth. Local baselining is essential because legitimate software and development workflows can use dynamic linker variables.

This take is constrained to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, attribution, prevalence, or guaranteed detection. Specific analytic logic, severity, and control recommendations require local telemetry, operating-system configuration, and business-critical asset context.

Official MITRE ATT&CK definition

Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1574.006 Dynamic Linker Hijacking Sub-technique This object detects Dynamic Linker Hijacking.
Relationship explorer

All related ATT&CK context

detects · Technique T1574.006: Dynamic Linker Hijacking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
69b437f9885e63e3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 69b437f9885e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0435
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use