SigmaHQ/rules/linux/lnx_base64_decode.yml

title: Decode base64 encoded text
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: experimental
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
logsource:
  category: process_creation
  product: linux
detection:
  base64_execution:
    ProcessName|endswith: '/base64'
    CommandLine|contains: '-d'
  condition: base64_execution
falsepositives:
  - Legitimate activities
level: low
tags:
  - attack.defense_evasion
  - attack.t1027
add lnx_base64_decode.yml, oscd initiative issue #1011, task number 4 2020-10-19 22:37:53 +00:00			`title: Decode base64 encoded text`
			`id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68`
			`status: experimental`
			`description: Detects usage of base64 utility to decode arbitrary base64-encoded text`
			`author: Daniil Yugoslavskiy, oscd.community`
			`date: 2020/10/19`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md`
			`logsource:`
			`category: process_creation`
			`product: linux`
			`detection:`
			`base64_execution:`
			`ProcessName\|endswith: '/base64'`
			`CommandLine\|contains: '-d'`
			`condition: base64_execution`
			`falsepositives:`
			`- Legitimate activities`
			`level: low`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1027`