tclsh

tclsh is a shell-like utility that runs Tcl from standard input or a file. tclsh holds the "com.apple.security.cs.disable-library-validation" entitlement and is capable of loading arbitrary plug-ins, framework, and libraries without requiring signed code.

Author: Brendan Chamberlain (@infosecB) Created: 2023-05-17

Execution dylib

Paths

/usr/bin/tclsh

Example Use Cases

Execute malicious dynamic library (.dylib) from standard input

An attacker can execute a malicious .dylib from stdin by echoing a load command and piping to tclsh. This will bypass code signing requirements.

echo "load bad.dylib" | tclsh

Execution dylib

Detections

Recommendations included in resource below. No formal detection content at this time.

Resources

Dylib Loads that Tickle your Fancy

Acknowledgements

Leo Pitt (@_D00mfist)