Merge pull request #1245 from oscd-initiative/oscd_art_linux_task_4_T1027

[OSCD] ART sync, test T1027: Obfuscated Files or Information (Linux)
2024-11-07 01:45:21 +00:00 · 2020-12-30 22:57:59 +01:00 · 2020-12-30 22:57:59 +01:00 · 810485993a
commit 810485993a
parent aa5396cb9f f0060dec67
1 changed files with 22 additions and 0 deletions
--- a/rules/linux/lnx_base64_decode.yml
+++ b/rules/linux/lnx_base64_decode.yml
@ -0,0 +1,22 @@
+title: Decode Base64 Encoded Text
+id: e2072cab-8c9a-459b-b63c-40ae79e27031
+status: experimental
+description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  base64_execution:
+    ProcessName|endswith: '/base64'
+    CommandLine|contains: '-d'
+  condition: base64_execution
+falsepositives:
+  - Legitimate activities
+level: low
+tags:
+  - attack.defense_evasion
+  - attack.t1027