The hypothesis is that the detection identifies potential Shlayer adware payload decryption activity, which is a sign of an adversary attempting to execute malicious code and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate adware campaigns that can compromise user data and network integrity.
KQL Query
// Find use of the Shlayer OpenSSL command to decode and decrypt a payload
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "openssl"
and ProcessCommandLine has "-base64" and
ProcessCommandLine has "-out" and
ProcessCommandLine has "-nosalt"
and ProcessCommandLine has_any("-aes256", "-aes-256")
id: 7abb6bbb-cb2b-4702-a96d-8d53b7a8e054
name: locate-shlayer-payload-decrytion-activity
description: |
This query was originally published in the threat analytics report, OSX/Shlayer sustains adware push.
Shlayer is adware that spies on users' search terms, and redirects network traffic to serve the user attacker-controlled search results containing ads.
The following query locates activity associated with the Shlayer payload decrypter.
Reference - https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
// Find use of the Shlayer OpenSSL command to decode and decrypt a payload
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "openssl"
and ProcessCommandLine has "-base64" and
ProcessCommandLine has "-out" and
ProcessCommandLine has "-nosalt"
and ProcessCommandLine has_any("-aes256", "-aes-256")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Using strings on a Known Safe Binary
Description: An admin is using the strings command to analyze a legitimate system binary (e.g., /usr/bin/launchd) for debugging or security assessment.
Filter/Exclusion: Exclude processes where the command line includes strings and the target file is a known system binary (e.g., /usr/bin/launchd, /bin/sh, /sbin/kextload).
Scenario: Scheduled Job Decrypting Configuration Files
Description: A scheduled job (e.g., via crontab or launchd) is decrypting configuration files for a legitimate service (e.g., nginx, postgresql) using a known encryption tool like openssl.
Filter/Exclusion: Exclude processes where the command line includes openssl and the target file is a known configuration file (e.g., /etc/nginx/nginx.conf, /etc/postgresql/12/main/postgresql.conf).
Scenario: Admin Using strings to Analyze a Malware Sample
Description: A security analyst is using the strings command to analyze a malware sample (e.g., a suspicious .dmg or .pkg) as part of an investigation.
Filter/Exclusion: Exclude processes where the command line includes strings and the file path is a known malware sample or analysis artifact (e.g., /tmp/malware.dmg, /var/tmp/suspicious.pkg).
Scenario: Log Analysis Tool Decrypting Logs
Description: A log analysis tool (e.g., logrotate, rsyslog, or Splunk) is decrypting logs using a known encryption method (e.g., AES) for compliance or audit purposes.
Filter/Exclusion: Exclude processes where the command line includes decryption tools (