MAC-DYLIB-HIJACKPrivilege Escalation

Dylib Hijack

Application loads a dylib by relative path / weak rpath — drop a malicious dylib earlier in the search order, runs in the app's signed context.

§ Where this technique fits

MAC-DYLIB-HIJACK is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

TCC bypass → access Photos / Camera without consent
Inject into a process that already has Full Disk Access (e.g. backup utility, Terminal). Inherited TCC entitlement lets the attacker code read TCC-gated data — Photos, iMessage DB, Documents.
step 3 / 5

§ What commonly comes next

01
TCC Bypass
MAC-TCC-BYPASS · Defense Evasion
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

TCC bypass → access Photos / Camera without consent

§ What commonly comes next