title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: experimental
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
logsource:
  category: process_creation
  product: linux
detection:
  base64_execution:
    Image|endswith: '/base64'
    CommandLine|contains: '-d'
  condition: base64_execution
falsepositives:
  - Legitimate activities
level: low
tags:
  - attack.defense_evasion
  - attack.t1027