MITRE ATT&CK Technique
Description
macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence. A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X) If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level. This can be used by adversaries as a privilege escalation technique.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'macOS and OS X use a common method to look for required '
'dynamic libraries (dylib) to load into a program based on '
'search paths. Adversaries can take advantage of ambiguous '
'paths to plant dylibs to gain privilege escalation or '
'persistence.\n'
'\n'
'A common method is to see what dylibs an application uses, '
'then plant a malicious version with the same name higher up '
'in the search path. This typically results in the dylib being '
'in the same folder as the application itself. (Citation: '
'Writing Bad Malware for OSX) (Citation: Malware Persistence '
'on OS X)\n'
'\n'
'If the program is configured to run at a higher privilege '
'level than the current user, then when the dylib is loaded '
'into the application, the dylib will also run at that '
'elevated level. This can be used by adversaries as a '
'privilege escalation technique.',
'external_references': [{'external_id': 'T1157',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1157'},
{'external_id': 'CAPEC-471',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/471.html'},
{'description': 'Patrick Wardle. (2015). Writing Bad '
'@$$ Malware for OS X. Retrieved July '
'10, 2017.',
'source_name': 'Writing Bad Malware for OSX',
'url': 'https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf'},
{'description': 'Patrick Wardle. (2015). Malware '
'Persistence on OS X Yosemite. '
'Retrieved July 10, 2017.',
'source_name': 'Malware Persistence on OS X',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'}],
'id': 'attack-pattern--aa8bfbc9-78dc-41a4-a03b-7453e0fdccda',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:12.763Z',
'name': 'Dylib Hijacking',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.1'}