The hypothesis is that the detection rule identifies potential Shlayer adware payload decryption activity, which is a sign of an adversary attempting to execute malicious code and exfiltrate user data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate adware campaigns that compromise user privacy and network integrity.
KQL Query
// Find use of the Shlayer OpenSSL command to decode and decrypt a payload
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "openssl"
and ProcessCommandLine has "-base64" and
ProcessCommandLine has "-out" and
ProcessCommandLine has "-nosalt"
and ProcessCommandLine has_any("-aes256", "-aes-256")
id: d405146b-47a7-4bcf-b2c5-ccf8a2db9a1d
name: locate-shlayer-payload-decryption-activity
description: |
This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push.
Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the user attacker-controlled search results containing ads.
The following query locates activity associated with the Shlayer payload decrypter.
Reference - https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
// Find use of the Shlayer OpenSSL command to decode and decrypt a payload
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "openssl"
and ProcessCommandLine has "-base64" and
ProcessCommandLine has "-out" and
ProcessCommandLine has "-nosalt"
and ProcessCommandLine has_any("-aes256", "-aes-256")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Using strings on a Known Safe Binary
Description: A system administrator uses the strings command to analyze a legitimate binary (e.g., /usr/bin/launchd) for debugging or security assessment.
Filter/Exclusion: Exclude processes where the command line includes strings and the file path is a known safe system binary (e.g., /usr/bin/launchd, /bin/sh).
Scenario: Scheduled Job Decrypting Configuration Files
Description: A scheduled job runs a script that decrypts configuration files using a tool like openssl or gpg as part of a routine maintenance task.
Filter/Exclusion: Exclude processes where the command line includes openssl or gpg and the file path is within a known configuration directory (e.g., /etc, /var/lib).
Scenario: Admin Using strings to Analyze a Malware Sample
Description: A security analyst uses the strings command to extract strings from a malware sample for analysis in a sandboxed environment.
Filter/Exclusion: Exclude processes where the command line includes strings and the file path is a known malware sample location (e.g., /tmp/malware_sample, /var/log/malware_analysis).
Scenario: Log Rotation or Archive Process Using tar or gzip
Description: A log rotation script uses tar or gzip to compress and archive log files, which may involve decrypting or processing encrypted logs.
Filter/Exclusion: Exclude processes where the command line includes tar or gzip and the file path is within a log directory (e.g., /var/log, /usr/local/logs).
Scenario: Admin Task Using openssl to Decrypt Encrypted Backups
*