Mac OS Click Fix Attack With Base64 Encrypted Curl Command
Query
let WhitelistedCurlCLI = "curl -fI https://download.mozilla.org/";
let base64_events = DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessParentFileName in ("bash","zsh")
| where ProcessCommandLine contains "base64"
| project Timestamp_base64 = Timestamp, DeviceName, AccountName, CommandLine_base64 = ProcessCommandLine;
let curl_events = DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine contains "curl"
| where not(ProcessCommandLine has_any (WhitelistedCurlCLI))
| project Timestamp_curl = Timestamp, DeviceName, AccountName, CommandLine_curl = ProcessCommandLine;
base64_events
| join kind=inner (curl_events) on DeviceName, AccountName
| where Timestamp_curl > Timestamp_base64 and Timestamp_curl <= Timestamp_base64 + 10s
| project Timestamp_base64, Timestamp_curl, TimeDiff = Timestamp_curl - Timestamp_base64, DeviceName, AccountName, CommandLine_base64, CommandLine_curl
| extend Domain = extract(@"https?://([^/]+)", 1, CommandLine_curl)
| extend CurlUrl = extract(@"https?://[^\s]+", 0, CommandLine_curl)
| sort by Timestamp_base64 desc
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where ActionType == "ConnectionSuccess"
| project Timestamp = Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, ActionType, ReportId, DeviceId
) on DeviceName
| where RemoteUrl contains Domain
| where Timestamp >= Timestamp_curl
| where Timestamp_curl > Timestamp_base64About this query
macOS ClickFix Attack with Base64 encrypted curl Command
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1059.004 | Unix Shell | https://attack.mitre.org/techniques/T1059/004/ |
Description
This rule detects a sequence of events indicative of a potential macOS ClickFix attack. It looks for a base64 encoded command executed by 'bash' or 'zsh', immediately followed (within 10 seconds) by a 'curl' command that initiates a network connection to a URL. The rule specifically excludes a whitelisted curl command to reduce false positives. The correlation of base64 execution, a subsequent curl command, and a successful network connection to the domain extracted from the curl command suggests an attempt to download and execute malicious content, possibly after decoding it.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect a specific type of attack on macOS systems, known as the ClickFix attack. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify suspicious activity that might indicate a macOS ClickFix attack. This involves looking for a sequence of commands that suggest malicious behavior.
-
Detection Criteria:
- It searches for commands executed by the
bashorzshshells that include the use ofbase64. This is often used to encode or decode data. - It then looks for a
curlcommand executed shortly after (within 10 seconds) thebase64command.curlis a tool used to transfer data from or to a server, and in this context, it might be used to download malicious content. - The query excludes a specific
curlcommand that is known to be safe (whitelisted) to reduce false alarms.
- It searches for commands executed by the
-
Correlation:
- The query correlates the
base64andcurlevents by matching them based on the device and user account, ensuring they are part of the same sequence of actions. - It checks if the
curlcommand successfully connects to a network domain, which could indicate that the downloaded content is being executed.
- The query correlates the
-
Output:
- The query provides details such as the timestamps of the
base64andcurlcommands, the time difference between them, the device and account involved, and the domain accessed by thecurlcommand. - It also checks network events to confirm if the connection to the domain was successful.
- The query provides details such as the timestamps of the
In summary, this query is a security measure to detect potential malicious activity on macOS systems by identifying a pattern of encoded command execution followed by a network connection attempt, which could indicate an attempt to download and execute harmful content.
