splApache-2.0from splunk/security_content
Linux Auditd Base64 Decode Files
The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access.
Quality
43
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_base64_decode_files.yml
`linux_auditd` execve_command = "*base64*" AND execve_command IN ("*-d*", "* --d*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_base64_decode_files_filter`