Dylib Injection via Process Environment Variables

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the use of process environment variables (DYLD_INSERT_LIBRARIES or LD_PRELOAD) to inject a shared 
 11library into a binary at or prior to execution. A threat actor may use this technique to load a malicious 
 12shared library for persistence, privilege escalation, and defense evasion. This activity is uncommon and 
 13typically indicates malicious behavior.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Dylib Injection via Process Environment Variables"
 20references = [
 21    "https://wojciechregula.blog/post/learn-xpc-exploitation-part-3-code-injections/",
 22    "https://attack.mitre.org/techniques/T1574/006/"
 23]
 24risk_score = 73
 25rule_id = "fb8790fc-d485-45e2-8d6e-2fb813f4af95"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: macOS",
 30    "Use Case: Threat Detection",
 31    "Tactic: Defense Evasion",
 32    "Tactic: Persistence",
 33    "Data Source: Elastic Defend",
 34    "Resources: Investigation Guide"
 35]
 36type = "eql"
 37note = """## Triage and analysis
 38
 39> **Disclaimer**:
 40> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 41
 42### Investigating Dylib Injection via Process Environment Variables
 43
 44Dynamic library injection using DYLD_INSERT_LIBRARIES or LD_PRELOAD environment variables is a powerful technique that allows code to be loaded into a process's address space at runtime. While this capability exists for legitimate debugging and development purposes, threat actors abuse it to hook application functionality, steal credentials, intercept keystrokes, or execute malicious code within trusted processes. This detection rule identifies processes started with these injection environment variables set to non-empty values.
 45
 46### Possible investigation steps
 47
 48- Review the process.env_vars field to identify the specific dylib being injected via DYLD_INSERT_LIBRARIES or LD_PRELOAD and determine its file path.
 49- Locate the injected dylib file on the file system using the path from the environment variable and calculate its hash for threat intelligence lookups.
 50- Analyze the process.executable and process.name fields to identify the target application being hijacked and assess whether dylib injection makes sense for its normal operation.
 51- Examine the process.parent.executable and process.command_line to understand how the process with injection was launched and trace back to the initial execution vector.
 52- Review the code signature of the injected dylib using codesign or similar tools to determine if it is signed, and by whom.
 53- Check for file creation events to determine when the malicious dylib was placed on the system and how it was delivered.
 54- Correlate with other security events on the same host to identify if the injection is part of a larger attack chain, such as credential theft or keylogging.
 55
 56### False positive analysis
 57
 58- Xcode and iOS Simulator use DYLD_INSERT_LIBRARIES for debugging and testing purposes during application development. These paths are already excluded in the query.
 59- Security research and reverse engineering tools may use library injection for analysis. Verify with security teams if such activities are expected.
 60- Some legitimate applications use library injection for specific functionality. Document these applications and create targeted exceptions after verification.
 61- Homebrew and development environments may occasionally use these environment variables. Confirm with development teams before creating exclusions.
 62
 63### Response and remediation
 64
 65- Immediately terminate the process using malicious dylib injection to stop any ongoing malicious activity such as credential theft or keylogging.
 66- Quarantine the injected dylib file for forensic analysis and malware reverse engineering.
 67- Remove the malicious dylib from the system and ensure it cannot be reloaded through persistence mechanisms.
 68- Investigate how the dylib was placed on the system and remediate the initial access or delivery mechanism.
 69- Review System Integrity Protection (SIP) status on the affected system, as SIP should normally prevent DYLD injection into protected system processes.
 70- Scan the system for additional indicators of compromise, persistence mechanisms, or lateral movement.
 71- Reset any credentials that may have been exposed through the injection, particularly if the target application handles sensitive authentication data.
 72- Escalate to the incident response team for comprehensive analysis if the injection indicates active compromise.
 73"""
 74query = '''
 75sequence by process.entity_id with maxspan=15s
 76  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
 77    process.env_vars like ("DYLD_INSERT_LIBRARIES=?*", "LD_PRELOAD=?*") and
 78    not process.env_vars like ("DYLD_INSERT_LIBRARIES=", "LD_PRELOAD=", "LD_PRELOAD=<null>") and
 79    not process.executable like ("/Users/*/Library/Developer/Xcode/*", "/Users/*/Library/Developer/CoreSimulator/*") and
 80    not process.parent.executable like ("/usr/bin/xcrun", "/Applications/Xcode*.app/*", "/Library/Developer/*")]
 81  [library where host.os.type == "macos" and event.action == "load" and
 82    not dll.name like ("*.aot", "*.so") and
 83    not dll.code_signature.trusted == true and
 84    not dll.path like ("/System/*", "/usr/lib/*", "/opt/homebrew/*", "/private/var/folders/*",
 85                       "/Library/Apple/*", "/Library/Developer/*",
 86                       "/Users/*/Library/Developer/Xcode/*", "/Users/*/Library/Developer/CoreSimulator/*")]
 87'''
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92  [rule.threat.tactic]
 93  name = "Defense Evasion"
 94  id = "TA0005"
 95  reference = "https://attack.mitre.org/tactics/TA0005/"
 96
 97  [[rule.threat.technique]]
 98  name = "Hijack Execution Flow"
 99  id = "T1574"
100  reference = "https://attack.mitre.org/techniques/T1574/"
101
102    [[rule.threat.technique.subtechnique]]
103    name = "Dynamic Linker Hijacking"
104    id = "T1574.006"
105    reference = "https://attack.mitre.org/techniques/T1574/006/"
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109
110  [rule.threat.tactic]
111  name = "Persistence"
112  id = "TA0003"
113  reference = "https://attack.mitre.org/tactics/TA0003/"
114
115  [[rule.threat.technique]]
116  name = "Hijack Execution Flow"
117  id = "T1574"
118  reference = "https://attack.mitre.org/techniques/T1574/"
119
120    [[rule.threat.technique.subtechnique]]
121    name = "Dynamic Linker Hijacking"
122    id = "T1574.006"
123    reference = "https://attack.mitre.org/techniques/T1574/006/"