MITRE ATT&CK Technique
Description
**This technique has been deprecated and should no longer be used.** As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific OSX Malware History). The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different (Citation: Methods of Mac Malware Persistence). By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '**This technique has been deprecated and should no longer be '
'used.**\n'
'\n'
'As of OS X 10.8, mach-O binaries introduced a new header '
'called LC_MAIN that points to the binary’s entry point for '
'execution. Previously, there were two headers to achieve this '
'same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific '
'OSX Malware History). The entry point for a binary can be '
'hijacked so that initial execution flows to a malicious '
'addition (either another section or a code cave) and then '
'goes back to the initial entry point so that the victim '
'doesn’t know anything was different (Citation: Methods of '
'Mac Malware Persistence). By modifying a binary in this way, '
'application whitelisting can be bypassed because the file '
'name or application path is still the same.',
'external_references': [{'external_id': 'T1149',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1149'},
{'description': 'Bit9 + Carbon Black Threat Research '
'Team. (2015). 2015: The Most '
'Prolific Year in History for OS X '
'Malware. Retrieved July 8, 2017.',
'source_name': 'Prolific OSX Malware History',
'url': 'https://assets.documentcloud.org/documents/2459197/bit9-carbon-black-threat-research-report-2015.pdf'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'}],
'id': 'attack-pattern--a0a189c8-d3bd-4991-bf6f-153d185ee373',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:10.098Z',
'name': 'LC_MAIN Hijacking',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': True,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '2.1'}