Payload Decoded and Decrypted via Built-in Utilities
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Sigma rule (View on GitHub)
1title: Payload Decoded and Decrypted via Built-in Utilities
2id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
3status: test
4description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
5references:
6 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
7author: Tim Rauch (rule), Elastic (idea)
8date: 2022-10-17
9tags:
10 - attack.t1059
11 - attack.t1204
12 - attack.execution
13 - attack.t1140
14 - attack.defense-evasion
15 - attack.s0482
16 - attack.s0402
17logsource:
18 category: process_creation
19 product: macos
20detection:
21 selection:
22 Image|endswith: '/openssl'
23 CommandLine|contains|all:
24 - '/Volumes/'
25 - 'enc'
26 - '-base64'
27 - ' -d '
28 condition: selection
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- Suspicious Execution via macOS Script Editor
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Install New Package Via Winget Local Manifest
- MSHTA Suspicious Execution 01