MITRE ATT&CK Technique
Description
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added. Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-16T15:23:30.896Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may execute their own payloads by placing a '
'malicious dynamic library (dylib) with an expected name in a '
'path a victim application searches at runtime. The dynamic '
'loader will try to find the dylibs based on the sequential '
'order of the search paths. Paths to dylibs may be prefixed '
'with <code>@rpath</code>, which allows developers to use '
'relative paths to specify an array of search paths used at '
'runtime based on the location of the executable. '
'Additionally, if weak linking is used, such as the '
'<code>LC_LOAD_WEAK_DYLIB</code> function, an application will '
'still execute even if an expected dylib is not present. Weak '
'linking enables developers to run an application on multiple '
'macOS versions as new APIs are added.\n'
'\n'
'Adversaries may gain execution by inserting malicious dylibs '
'with the name of the missing dylib in the identified '
'path.(Citation: Wardle Dylib Hijack Vulnerable '
'Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: '
'Github EmpireProject HijackScanner)(Citation: Github '
'EmpireProject CreateHijacker Dylib) Dylibs are loaded into an '
"application's address space allowing the malicious dylib to "
"inherit the application's privilege level and resources. "
'Based on the application, this could result in privilege '
'escalation and uninhibited network access. This method may '
'also evade detection from security products since the '
'execution is masked under a legitimate process.(Citation: '
'Writing Bad Malware for OSX)(Citation: wardle artofmalware '
'volume1)(Citation: MalwareUnicorn macOS Dylib Injection '
'MachO)',
'external_references': [{'external_id': 'T1574.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1574/004'},
{'description': 'Amanda Rousseau. (2020, April 4). '
'MacOS Dylib Injection Workshop. '
'Retrieved March 29, 2021.',
'source_name': 'MalwareUnicorn macOS Dylib Injection '
'MachO',
'url': 'https://malwareunicorn.org/workshops/macos_dylib_injection.html#5'},
{'description': 'Apple Inc.. (2012, July 7). Run-Path '
'Dependent Libraries. Retrieved March '
'31, 2021.',
'source_name': 'Apple Developer Doco Archive '
'Run-Path',
'url': 'https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html'},
{'description': 'Patrick Wardle. (2015, March 1). '
'Dylib Hijacking on OS X. Retrieved '
'March 29, 2021.',
'source_name': 'Wardle Dylib Hijacking OSX 2015',
'url': 'https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf'},
{'description': 'Patrick Wardle. (2015). Writing Bad '
'@$$ Malware for OS X. Retrieved July '
'10, 2017.',
'source_name': 'Writing Bad Malware for OSX',
'url': 'https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf'},
{'description': 'Patrick Wardle. (2019, July 2). '
'Getting Root with Benign AppStore '
'Apps. Retrieved March 31, 2021.',
'source_name': 'Wardle Dylib Hijack Vulnerable Apps',
'url': 'https://objective-see.com/blog/blog_0x46.html'},
{'description': 'Patrick Wardle. (2020, August 5). '
'The Art of Mac Malware Volume 0x1: '
'Analysis. Retrieved November 17, '
'2024.',
'source_name': 'wardle artofmalware volume1',
'url': 'https://taomm.org/vol1/read.html'},
{'description': 'Wardle, P., Ross, C. (2017, '
'September 21). Empire Project Dylib '
'Hijack Vulnerability Scanner. '
'Retrieved April 1, 2021.',
'source_name': 'Github EmpireProject HijackScanner',
'url': 'https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py'},
{'description': 'Wardle, P., Ross, C. (2018, April '
'8). EmpireProject Create Dylib '
'Hijacker. Retrieved April 1, 2021.',
'source_name': 'Github EmpireProject CreateHijacker '
'Dylib',
'url': 'https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py'}],
'id': 'attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:39.243Z',
'name': 'Dylib Hijacking',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '2.1'}