Матрица MITRE ATT&CK

Technique on mitre.org

T1546.006: LC_LOAD_DYLIB Addition

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.

Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by the execution of tainted binaries.

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

ID	DS0022	Data source and component	File: File Metadata	Description	Changes to binaries that do not line up with application updates or patches are also extremely suspicious.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor file systems for changes to application binaries and invalid checksums/signatures.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor processes for those that may be used to modify binary headers.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by the execution of tainted binaries.
DS0011	Module: Module Load	Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.
DS0022	File: File Metadata	Changes to binaries that do not line up with application updates or patches are also extremely suspicious.
DS0022	File: File Modification	Monitor file systems for changes to application binaries and invalid checksums/signatures.
DS0009	Process: Process Creation	Monitor processes for those that may be used to modify binary headers.

Mitigation

ID	M1047	Name	Audit	Description	Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn't included as part of an update, it should be investigated.

ID	M1038	Name	Execution Prevention	Description	Allow applications via known hashes.

ID	M1045	Name	Code Signing	Description	Enforce that all binaries be signed by the correct Apple Developer IDs.

ID	Name	Description
M1047	Audit	Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn't included as part of an update, it should be investigated.
M1038	Execution Prevention	Allow applications via known hashes.
M1045	Code Signing	Enforce that all binaries be signed by the correct Apple Developer IDs.