Long Base64 Encoded Command via Scripting Interpreter

calendar Apr 22, 2026 · Domain: Endpoint OS: Windows OS: macOS OS: Linux Use Case: Threat Detection Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Defend Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies oversized command lines used by Python, PowerShell, Node.js, or Deno that contain base64 decoding or encoded-command patterns. Adversaries may embed long inline encoded payloads in scripting interpreters to evade inspection and execute malicious content across Windows, macOS, and Linux systems.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/03/27"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/03/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies oversized command lines used by Python, PowerShell, Node.js, or Deno that contain base64 decoding or
 11encoded-command patterns. Adversaries may embed long inline encoded payloads in scripting interpreters to evade
 12inspection and execute malicious content across Windows, macOS, and Linux systems.
 13"""
 14from = "now-9m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "Long Base64 Encoded Command via Scripting Interpreter"
 18note = """## Triage and analysis
 19
 20### Investigating Long Base64 Encoded Command via Scripting Interpreter
 21
 22This rule detects process start events where the original `process.command_line` field was ignored at index time due to
 23its size, but the full command line remains available in `process.command_line.text`. Attackers commonly use very long
 24base64-encoded inline commands with interpreters such as Python, PowerShell, Node.js, and Deno to conceal payloads and
 25avoid straightforward command-line inspection.
 26
 27### Possible investigation steps
 28
 29- Review `process.command_line.text` to determine whether the encoded content includes shell commands, scripts, URLs, or embedded payloads.
 30- Inspect the parent process and execution chain to understand how the interpreter was launched and whether it originated from a browser, office application, archive utility, or remote access tool.
 31- Check whether the same host or user generated additional suspicious process, network, or file events around the same time.
 32- If the payload can be safely decoded in an isolated environment, inspect the decoded content for follow-on execution, credential access, persistence, or download behavior.
 33
 34### False positive analysis
 35
 36- Administrative automation, packaging workflows, or developer tooling may legitimately pass large encoded blobs to scripting interpreters.
 37- PowerShell remoting, software deployment frameworks, or internal bootstrap scripts can occasionally use encoded commands; validate the source, user, and expected automation context.
 38
 39### Response and remediation
 40
 41- Isolate the affected host if the decoded content or surrounding activity indicates malicious execution.
 42- Terminate the suspicious interpreter process and any spawned child processes.
 43- Preserve the full command line and related process tree for forensic analysis before making changes on the host.
 44- Reset or revoke any credentials, tokens, or secrets exposed by the decoded payload or subsequent attacker activity.
 45"""
 46risk_score = 73
 47rule_id = "74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61"
 48severity = "high"
 49tags = [
 50    "Domain: Endpoint",
 51    "OS: Windows",
 52    "OS: macOS",
 53    "OS: Linux",
 54    "Use Case: Threat Detection",
 55    "Tactic: Defense Evasion",
 56    "Tactic: Execution",
 57    "Data Source: Elastic Defend",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "esql"
 62
 63query = '''
 64FROM logs-endpoint.events.process-* METADATA _id, _index, _version, _ignored
 65| MV_EXPAND _ignored
 66| WHERE _ignored == "process.command_line"
 67| WHERE event.category == "process" and event.type == "start"
 68| EVAL command_line = TO_LOWER(process.command_line.text), pname = TO_LOWER(process.name)
 69| WHERE 
 70(
 71    (
 72        /* Python: inline exec with base64 decode or -c flag with encoded payload */
 73        pname like "python*" and
 74        (
 75            command_line like "*b64decode*" or
 76            (command_line like "*-c*" and command_line like "*base64*")
 77        )
 78    ) or
 79    (
 80        /* PowerShell: encoded command flag — require trailing space to avoid matching
 81           -Encoding, -EncryptionType, -EncryptionProvider, etc. */
 82        (pname like "powershell*" or pname like "pwsh*") and
 83        (
 84            command_line rlike ".* -(e|en|enc|enco|encod|encode|encoded|encodedcommand) .+" or
 85            command_line like "*-encodedcommand*" or
 86            command_line like "*frombase64string*"
 87        )
 88    ) or
 89    (
 90        /* Node.js: buffer.from must be paired with base64 to avoid matching
 91           general Buffer usage; atob is always base64 */
 92        pname like "node*" and
 93        (
 94            (command_line like "*buffer.from*" and command_line like "*base64*") or
 95            command_line like "*atob(*"
 96        )
 97    ) or
 98    (
 99        /* Deno: eval( (not eval/evaluate/evaluation), atob, or buffer+base64 */
100        pname like "deno*" and
101        (
102            command_line like "*atob(*" or
103            (command_line like "*buffer.from*" and command_line like "*base64*") or
104            command_line like "*eval(*"
105        )
106    )
107)
108| EVAL Esql.length_cmdline = LENGTH(command_line)
109| WHERE Esql.length_cmdline >= 4000
110| KEEP *
111'''
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115
116[[rule.threat.technique]]
117id = "T1027"
118name = "Obfuscated Files or Information"
119reference = "https://attack.mitre.org/techniques/T1027/"
120
121[[rule.threat.technique]]
122id = "T1140"
123name = "Deobfuscate/Decode Files or Information"
124reference = "https://attack.mitre.org/techniques/T1140/"
125
126[rule.threat.tactic]
127id = "TA0005"
128name = "Defense Evasion"
129reference = "https://attack.mitre.org/tactics/TA0005/"
130
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133
134[[rule.threat.technique]]
135id = "T1059"
136name = "Command and Scripting Interpreter"
137reference = "https://attack.mitre.org/techniques/T1059/"
138
139[[rule.threat.technique.subtechnique]]
140id = "T1059.001"
141name = "PowerShell"
142reference = "https://attack.mitre.org/techniques/T1059/001/"
143
144[[rule.threat.technique.subtechnique]]
145id = "T1059.006"
146name = "Python"
147reference = "https://attack.mitre.org/techniques/T1059/006/"
148
149[[rule.threat.technique.subtechnique]]
150id = "T1059.007"
151name = "JavaScript"
152reference = "https://attack.mitre.org/techniques/T1059/007/"
153
154[rule.threat.tactic]
155id = "TA0002"
156name = "Execution"
157reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Investigating Long Base64 Encoded Command via Scripting Interpreter

This rule detects process start events where the original process.command_line field was ignored at index time due to its size, but the full command line remains available in process.command_line.text. Attackers commonly use very long base64-encoded inline commands with interpreters such as Python, PowerShell, Node.js, and Deno to conceal payloads and avoid straightforward command-line inspection.

Possible investigation steps

  • Review process.command_line.text to determine whether the encoded content includes shell commands, scripts, URLs, or embedded payloads.
  • Inspect the parent process and execution chain to understand how the interpreter was launched and whether it originated from a browser, office application, archive utility, or remote access tool.
  • Check whether the same host or user generated additional suspicious process, network, or file events around the same time.
  • If the payload can be safely decoded in an isolated environment, inspect the decoded content for follow-on execution, credential access, persistence, or download behavior.

False positive analysis

  • Administrative automation, packaging workflows, or developer tooling may legitimately pass large encoded blobs to scripting interpreters.
  • PowerShell remoting, software deployment frameworks, or internal bootstrap scripts can occasionally use encoded commands; validate the source, user, and expected automation context.

Response and remediation

  • Isolate the affected host if the decoded content or surrounding activity indicates malicious execution.
  • Terminate the suspicious interpreter process and any spawned child processes.
  • Preserve the full command line and related process tree for forensic analysis before making changes on the host.
  • Reset or revoke any credentials, tokens, or secrets exposed by the decoded payload or subsequent attacker activity.

Related rules

to-top