Base64 Encoding/Decoding Activity

 1[metadata]
 2creation_date = "2020/04/17"
 3deprecation_date = "2021/04/15"
 4maturity = "deprecated"
 5updated_date = "2021/04/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
10false_positives = [
11    """
12    Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
13    filtered by the process executable or username values.
14    """,
15]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Base64 Encoding/Decoding Activity"
21risk_score = 21
22rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b"
23severity = "low"
24tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process and event.type:(start or process_started) and
30  process.name:(base64 or base64plain or base64url or base64mime or base64pem)
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1140"
38name = "Deobfuscate/Decode Files or Information"
39reference = "https://attack.mitre.org/techniques/T1140/"
40
41[[rule.threat.technique]]
42id = "T1027"
43name = "Obfuscated Files or Information"
44reference = "https://attack.mitre.org/techniques/T1027/"
45
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"