T1546.006: LC_LOAD_DYLIB Addition
Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.[1] There are tools available to perform these changes.
Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.[2]
Analyst context for executives and security teams
LC_LOAD_DYLIB Addition is a macOS persistence and privilege-escalation technique where a Mach-O binary is altered so it loads a malicious dynamic library whenever that binary runs. For leaders, the risk is not just malware execution; it is tampering with trusted-looking software so normal user or system activity can repeatedly re-trigger attacker code.
Executive priority
Prioritize this where macOS systems support sensitive users, developers, administrators, or business-critical workflows. The key governance question is whether the organization can prove that important macOS binaries remain trusted, signed, and monitored for tampering. This technique also creates audit and incident-response value: teams need evidence showing whether code-signing controls, execution prevention, and file integrity review would expose modified binaries before they become durable persistence.
Technical view
ATT&CK lists this as a macOS sub-technique of Event Triggered Execution under persistence and privilege escalation. SOC and IR teams should validate whether they can identify Mach-O binaries with unexpected LC_LOAD_DYLIB commands, added dylib dependencies, invalid or removed code-signature metadata, and execution of tainted binaries. Because the official ATT&CK detection field is not provided, detection engineering should use the related DET0216 detection strategy as a starting point and test coverage against local macOS baselines rather than assuming existing EDR rules are sufficient.
Likely telemetry
- Mach-O binary metadata and load-command inspection results
- File integrity or endpoint telemetry showing modification of executable binaries
- macOS code-signing validation results, including invalid signatures or absent LC_CODE_SIGNATURE commands
- Process execution telemetry for modified or unusual binaries
- Dynamic library load evidence, especially unexpected dylib paths or dependencies
Detection direction
- Baseline high-value and commonly executed macOS Mach-O binaries so newly added LC_LOAD_DYLIB entries can be identified as deviations.
- Tune detections for binary tampering indicators such as changed headers, changed dependencies, invalid signatures, or removed code-signature load commands.
- Correlate modified binaries with subsequent execution and unexpected dylib loads to reduce false positives from legitimate software updates or administrative packaging activity.
- Use the related DET0216 detection strategy as ATT&CK-supported context, but validate locally because the technique object itself does not provide official detection logic.
- Treat developer tools, software deployment processes, and legitimate binary patching as false-positive sources that require allowlisting and change-control context.
Mitigation priorities
- Apply Code Signing expectations for macOS software and investigate binaries whose signatures are invalidated or no longer checked after modification.
- Use Execution Prevention controls to restrict unauthorized or malicious code from running, especially on managed macOS endpoints.
- Implement Audit practices that regularly review executable integrity, software changes, and anomalous binary metadata on systems where persistence risk matters.
- Sequence controls around business criticality: protect privileged-user and sensitive-workflow Macs first, then expand baselining and review to broader fleets.
Analyst notes and limits
This object is narrowly scoped to macOS Mach-O LC_LOAD_DYLIB tampering and is a sub-technique of T1546 Event Triggered Execution. The revoked predecessor T1161 maps to this object, so older reporting may use the prior ATT&CK identifier. The most useful defensive question is whether the organization can distinguish authorized software change from binary header manipulation that creates repeated malicious library loading.
The supplied ATT&CK object does not include an official detection description, procedure examples, malware or group relationships, or active exploitation claims. Telemetry and control recommendations are therefore derived from the technique description, platform, tactics, external references, and listed mitigation/detection relationships; local macOS architecture and tooling determine actual coverage.
LC_LOAD_DYLIB Addition
Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.[1] There are tools available to perform these changes.
Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546 | Event Triggered Execution | This object subtechnique of Event Triggered Execution. |
| Enterprise | T1161 | LC_LOAD_DYLIB Addition | LC_LOAD_DYLIB Addition revoked by this object. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c7fbf06fac49… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Writing Bad Malware for OSX
Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.
Open source URL -
[2]
Malware Persistence on OS X
Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.
Open source URL -
[3]
mitre-attack T1546.006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.