KQL Search

Query Details

HomeAI ToolsDevice Query

Mac OS Click Fix Attack With Base64 Encrypted Curl Command

Query

# *macOS ClickFix Attack with Base64 encrypted curl Command*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059.004 | Unix Shell | https://attack.mitre.org/techniques/T1059/004/ |


#### Description
This rule detects a sequence of events indicative of a potential macOS ClickFix attack. It looks for a base64 encoded command executed by 'bash' or 'zsh', immediately followed (within 10 seconds) by a 'curl' command that initiates a network connection to a URL. The rule specifically excludes a whitelisted curl command to reduce false positives. The correlation of base64 execution, a subsequent curl command, and a successful network connection to the domain extracted from the curl command suggests an attempt to download and execute malicious content, possibly after decoding it.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users


## Defender XDR
```KQL
let WhitelistedCurlCLI = "curl -fI https://download.mozilla.org/";
let base64_events = DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessParentFileName in ("bash","zsh")
| where ProcessCommandLine contains "base64"
| project Timestamp_base64 = Timestamp, DeviceName, AccountName, CommandLine_base64 = ProcessCommandLine;
let curl_events = DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine contains "curl"
| where not(ProcessCommandLine has_any (WhitelistedCurlCLI)) 
| project Timestamp_curl = Timestamp, DeviceName, AccountName, CommandLine_curl = ProcessCommandLine;
base64_events
| join kind=inner (curl_events) on DeviceName, AccountName
| where Timestamp_curl > Timestamp_base64 and Timestamp_curl <= Timestamp_base64 + 10s
| project Timestamp_base64, Timestamp_curl, TimeDiff = Timestamp_curl - Timestamp_base64, DeviceName, AccountName, CommandLine_base64, CommandLine_curl
| extend Domain = extract(@"https?://([^/]+)", 1, CommandLine_curl)
| extend CurlUrl = extract(@"https?://[^\s]+", 0, CommandLine_curl)
| sort by Timestamp_base64 desc
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1d)
    | where ActionType == "ConnectionSuccess"
    | project Timestamp = Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, ActionType, ReportId, DeviceId
    ) on DeviceName
| where RemoteUrl contains Domain
| where Timestamp >= Timestamp_curl
| where Timestamp_curl > Timestamp_base64

```

Explanation

This query is designed to detect a specific type of attack on macOS systems, known as the ClickFix attack. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify suspicious activity that might indicate a macOS ClickFix attack. This involves looking for a sequence of commands that suggest malicious behavior.

  2. Detection Criteria:

    • It searches for commands executed by the bash or zsh shells that include the use of base64. This is often used to encode or decode data.
    • It then looks for a curl command executed shortly after (within 10 seconds) the base64 command. curl is a tool used to transfer data from or to a server, and in this context, it might be used to download malicious content.
    • The query excludes a specific curl command that is known to be safe (whitelisted) to reduce false alarms.

  3. Correlation:

    • The query correlates the base64 and curl events by matching them based on the device and user account, ensuring they are part of the same sequence of actions.
    • It checks if the curl command successfully connects to a network domain, which could indicate that the downloaded content is being executed.

  4. Output:

    • The query provides details such as the timestamps of the base64 and curl commands, the time difference between them, the device and account involved, and the domain accessed by the curl command.
    • It also checks network events to confirm if the connection to the domain was successful.

In summary, this query is a security measure to detect potential malicious activity on macOS systems by identifying a pattern of encoded command execution followed by a network connection attempt, which could indicate an attempt to download and execute harmful content.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 23, 2025

Tables

DeviceProcessEventsDeviceNetworkEvents

Keywords

Devices

Operators

letagoincontainsprojectjoinkind=inneron><=extendextractsort by==has_any

Actions