Payload Decoded and Decrypted via Built-in Utilities

calendar Oct 17, 2023 · attack.t1059 attack.t1204 attack.execution attack.t1140 attack.defense_evasion attack.s0482 attack.s0402  ·
Share on: linkedin copy

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Sigma rule (View on GitHub)

 1title: Payload Decoded and Decrypted via Built-in Utilities
 2id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
 3status: test
 4description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
 5references:
 6    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
 7author: Tim Rauch (rule), Elastic (idea)
 8date: 2022/10/17
 9tags:
10    - attack.t1059
11    - attack.t1204
12    - attack.execution
13    - attack.t1140
14    - attack.defense_evasion
15    - attack.s0482
16    - attack.s0402
17logsource:
18    category: process_creation
19    product: macos
20detection:
21    selection:
22        Image|endswith: '/openssl'
23        CommandLine|contains|all:
24            - '/Volumes/'
25            - 'enc'
26            - '-base64'
27            - ' -d '
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium

References

Related rules

to-top