This detection rule identifies the use of macOS built-in utilities for decoding and decrypting payloads, specifically following the execution of macOS disk image files (DMGs). Attackers often package malicious payloads within DMGs, encoding and encrypting them to avoid detection mechanisms. When these payloads are extracted and executed using tools like OpenSSL, it can signify malicious intent, especially if the command line shows signs of decryption with flags pertaining to base64 operations. Notably, this behavior is associated with adware and malware families such as Bundlore and Shlayer, which implement similar encoding techniques to evade security solutions. The rule triggers a detection when a process containing 'openssl' is called with specific command-line arguments indicative of a decoding action, thus alerting security teams to potential malicious activity.