admin 2024年4月15日01:39:51评论3 views字数 1698阅读5分39秒阅读模式


Mach-O二进制文件具有一系列标头,这些标头用于在加载二进制文件时执行某些操作。Mach-O二进制文件中的LC_LOAD_DYLIB标头告诉macOS和OS X在执行期间要加载哪些动态库(dylib)。这些可以自组织只要调整到的字段和依赖性的其余部分由被添加到已编译的二进制 。有一些工具可以执行这些更改。任何更改都会使二进制文件上的数字签名无效,因为正在修改二进制文件。攻击者可以通过简单地从二进制文件中删除LC_CODE_SIGNATURE命令来补救此问题,以便在加载时不检查签名。

Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies [1]. There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time


ID编号: T1161

策略: 持久性

平台: macOS

所需权限: user

数据源: 二进制文件元数据,进程监视,进程命令行参数,文件监视


缓解 描述
审计 (M1047) 还可以将二进制文件作为其所需的动态库的基准,如果应用程序需要一个未包含在更新中的新动态库,则应进行调查。
代码签名 (M1045) 强制所有二进制文件由正确的Apple Developer ID签名。
执行预防 (M1038) 通过已知哈希将应用列入白名单。
Mitigation Description
Audit (M1047) Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.
Code Signing (M1045) Enforce that all binaries be signed by the correct Apple Developer IDs.
Execution Prevention (M1038) Whitelist applications via known hashes.



Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.

- 译者: 林妙倩、戴亦仑 .

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年4月15日01:39:51
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ATT&CK -


匿名网友 填写信息