Base16 or Base32 Encoding/Decoding Activity

 1[metadata]
 2creation_date = "2020/04/17"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
12false_positives = [
13    """
14    Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
15    filtered by the process executable or username values.
16    """,
17]
18from = "now-9m"
19index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Base16 or Base32 Encoding/Decoding Activity"
23risk_score = 21
24rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
25severity = "low"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "query"
29
30query = '''
31event.category:process and host.os.type:linux and event.type:(start or process_started) and
32  process.name:(base16 or base32 or base32plain or base32hex)
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1027"
40name = "Obfuscated Files or Information"
41reference = "https://attack.mitre.org/techniques/T1027/"
42
43[[rule.threat.technique]]
44id = "T1140"
45name = "Deobfuscate/Decode Files or Information"
46reference = "https://attack.mitre.org/techniques/T1140/"
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"