Payload Decoded and Decrypted via Built-in Utilities

title: Payload Decoded and Decrypted via Built-in Utilities
id: e70fe896-c863-4b1b-ba1a-aa3e240c9e60
status: experimental
description: |
    Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. 
    Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. 
    This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea), avrgsec (modification)
modified: 2025-10-29 - Chris S (@avrgsec_) - Added more locations to increase coverage and detect potential customisation of execution locations.
date: "2025-11-05"
tags:
    - attack.t1059
    - attack.t1204
    - attack.execution
    - attack.t1140
    - attack.defense-evasion
    - attack.s0482
    - attack.s0402
logsource:
    category: process_creation
    product: macos
    
detection:
    selection_base:
        Image|endswith: '/openssl'
        CommandLine|contains|all:
            - 'enc'
            - '-base64'
            - ' -d '
    selection_paths:
        CommandLine|contains:
            - '/Volumes/'
            - '/tmp/'
            - '/Downloads/'
            - '/Applications/'
    condition: selection_base and selection_paths
falsepositives:
    - Legitimate developer or administrative activity involving openSSL to decode files from the specified locations
level: medium