Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1574.004: Dylib Hijacking

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.

Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.[1][2][3][4] Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.[5][6][7]

EnterpriseT1574.004Sub-techniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Dylib Hijacking is a macOS execution-flow abuse technique where an adversary places a malicious dynamic library where an application is expected to search at runtime. The business issue is not only malware execution; it is that the activity can appear to run inside a legitimate application process, potentially inheriting that application’s privileges, resources, and network access. For organizations with managed macOS fleets, this makes application packaging, filesystem permissions, and process/file telemetry important parts of resilience and incident readiness.

Executive priority

Prioritize this where macOS endpoints support privileged applications, business-critical user workflows, developer tools, or applications with broad network access. Leaders should ask whether endpoint hardening prevents unauthorized writes into application and library search paths, whether SOC telemetry can connect suspicious dylib placement to subsequent legitimate-process execution, and whether IR teams can quickly determine whether a trusted macOS application loaded an unexpected library. This technique also supports compliance evidence around least privilege and change control for sensitive file locations.

Technical view

ATT&CK lists this as a macOS sub-technique of Hijack Execution Flow under stealth and execution. The supplied description centers on runtime dylib search order, @rpath-relative paths, and weak linking such as LC_LOAD_WEAK_DYLIB, where a missing expected dylib may allow an attacker-controlled dylib with the expected name to be loaded. SOC and IR teams should validate coverage for unexpected dylib creation or modification in application search paths, followed by loading of that dylib by a legitimate application. Because MITRE provides no official detection text for this object, use the related detection strategy DET0152 as a prompt to build or assess local detection logic, not as proof of existing coverage.

Likely telemetry

  • macOS file creation, modification, ownership, and permission changes in application directories and library search paths
  • Process execution telemetry showing legitimate applications launching before or after suspicious dylib placement
  • Dynamic library load telemetry, where available, tying a loaded dylib path to the loading process
  • Mach-O metadata or application inspection evidence involving @rpath and weakly linked dylib references
  • Endpoint security alerts or EDR events that correlate file writes with later execution under a trusted process

Detection direction

  • Validate whether detections correlate two events: an unexpected dylib appearing in a searched path and a legitimate macOS application subsequently loading it.
  • Tune for application-specific baselines; legitimate software updates, plug-ins, and developer workflows may create or replace dylibs.
  • Pay special attention to writable directories that are searched before protected locations, because search order is central to the technique.
  • Review privileged or network-enabled applications first, since the ATT&CK description notes that loaded dylibs inherit the application’s privilege level and resources.
  • Account for blind spots where telemetry records the parent application but not the loaded library, causing malicious execution to be masked under a legitimate process.

Mitigation priorities

  • Apply M1022: restrict file and directory permissions so ordinary users or untrusted processes cannot write to sensitive application directories or dylib search paths.
  • Remove unnecessary write permissions and enforce least privilege ownership on application bundles, support directories, and other paths used during runtime loading.
  • Prioritize hardening for applications running with elevated privileges or broad network access.
  • Maintain change-control and integrity baselines for macOS application directories so unauthorized dylib additions are reviewable during investigations.
  • Pair permission hardening with monitoring; prevention alone may not reveal attempted placement or historical compromise.
Analyst notes and limits

Empire is listed as software that uses this technique, and multiple external references focus on macOS dylib hijacking research and tooling. The relationship to T1574 confirms this as one form of hijacking execution flow. The supplied ATT&CK object does not provide procedure-level details for a specific intrusion, so defensive use should focus on validating local macOS exposure, search-path hygiene, permissions, and telemetry quality.

Official ATT&CK detection content for this object is not provided. The supplied data supports macOS only and does not support claims about active exploitation, specific threat actors, customer exposure, or guaranteed detection. Local application inventories, file permission baselines, and endpoint telemetry are required to determine real coverage and risk.

Official MITRE ATT&CK definition

Dylib Hijacking

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.

Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.[1][2][3][4] Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.[5][6][7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1157 Dylib Hijacking Dylib Hijacking revoked by this object.
Enterprise T1574 Hijack Execution Flow This object subtechnique of Hijack Execution Flow.
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise revoked by · Technique T1157: Dylib Hijacking Enterprise detects · Detection Strategy DET0152: Detection Strategy for Hijack Execution Flow: Dylib Hijacking Enterprise subtechnique of · Technique T1574: Hijack Execution Flow Enterprise uses · Tool S0363: Empire Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
097eb36d7fce901c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 097eb36d7fce…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Wardle Dylib Hijack Vulnerable Apps

    Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.

    Open source URL
  2. [2]
    Wardle Dylib Hijacking OSX 2015

    Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved March 29, 2021.

    Open source URL
  3. [3]
    Github EmpireProject HijackScanner

    Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.

    Open source URL
  4. [4]
    Github EmpireProject CreateHijacker Dylib

    Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.

    Open source URL
  5. [5]
    Writing Bad Malware for OSX

    Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.

    Open source URL
  6. [6]
    wardle artofmalware volume1

    Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved November 17, 2024.

    Open source URL
  7. [7]
    MalwareUnicorn macOS Dylib Injection MachO

    Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.

    Open source URL
  8. [8]
    mitre-attack T1574.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use