Unusual Base64 Encoding/Decoding Activity
This rule leverages ESQL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64 encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or network-based security controls. ESQL rules have limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/02/21"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/07/16"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule leverages ESQL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64
11encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or
12network-based security controls. ESQL rules have limited fields available in its alert documents. Make sure to review
13the original documents to aid in the investigation of this alert.
14"""
15from = "now-61m"
16interval = "1h"
17language = "esql"
18license = "Elastic License v2"
19name = "Unusual Base64 Encoding/Decoding Activity"
20note = """## Triage and analysis
21
22> **Disclaimer**:
23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
24
25### Investigating Unusual Base64 Encoding/Decoding Activity
26Base64 encoding is a method to convert binary data into ASCII text, often used for data transmission. Adversaries exploit this to obfuscate malicious payloads or commands, bypassing security controls. The detection rule identifies suspicious Base64 activity on Linux by monitoring specific processes and command patterns, flagging anomalies for further investigation.
27
28### Possible investigation steps
29
30- Review the process name and command line arguments to understand the context of the Base64 activity. Check if the process name matches known legitimate applications or scripts.
31- Examine the timestamp of the event to determine if the activity occurred during normal operational hours or if it coincides with other suspicious activities.
32- Investigate the host operating system type and agent ID to identify the specific Linux system involved and assess if it has a history of similar alerts or other security incidents.
33- Analyze the process command line for any unusual patterns or parameters that might indicate obfuscation or malicious intent, such as the presence of decode flags or unexpected Base64 operations.
34- Correlate the event with other logs or alerts from the same host or network to identify potential lateral movement or coordinated attacks.
35- Check for any recent changes or deployments on the affected system that might explain the Base64 activity, such as new software installations or updates.
36- Consult threat intelligence sources to determine if the observed Base64 patterns or command line arguments are associated with known malware or attack techniques.
37
38### False positive analysis
39
40- Routine administrative scripts may use base64 encoding for legitimate data processing tasks. Review the process.command_line and process.args fields to identify known scripts and consider excluding them from the rule.
41- Backup or data transfer operations might employ base64 encoding to handle binary data. Verify the process.name and process.command_line to ensure these operations are recognized and add exceptions for these specific processes.
42- Development environments often use base64 encoding for testing purposes. Identify development-related processes by examining the process.name and process.command_line and exclude them if they are part of regular development activities.
43- Automated system monitoring tools might trigger this rule if they use base64 encoding for log or data analysis. Check the agent.id and process.command_line to confirm these tools and exclude them from the rule if they are verified as non-threatening.
44- Security tools that perform data encoding for analysis or reporting could be flagged. Validate these tools by reviewing the process.name and process.command_line and create exceptions for them if they are part of the security infrastructure.
45
46### Response and remediation
47
48- Isolate the affected Linux system from the network to prevent further data exfiltration or lateral movement by the adversary.
49- Terminate any suspicious processes identified by the alert, particularly those involving base64 encoding/decoding, to halt potential malicious activity.
50- Conduct a thorough review of the process command lines and arguments flagged by the alert to identify any malicious scripts or payloads. Remove or quarantine these files as necessary.
51- Check for any unauthorized user accounts or privilege escalations that may have been established during the attack and revoke access immediately.
52- Restore any affected systems or files from a known good backup to ensure the integrity of the system and data.
53- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the suspicious base64 activity.
54- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts exist.
55"""
56risk_score = 21
57rule_id = "c5637438-e32d-4bb3-bc13-bd7932b3289f"
58setup = """## Setup
59
60This rule requires data coming in from one of the following integrations:
61- Elastic Defend
62
63### Elastic Defend Integration Setup
64Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
65
66#### Prerequisite Requirements:
67- Fleet is required for Elastic Defend.
68- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
69
70#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
71- Go to the Kibana home page and click "Add integrations".
72- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
73- Click "Add Elastic Defend".
74- Configure the integration name and optionally add a description.
75- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
76- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
77- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
78- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
79For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
80- Click "Save and Continue".
81- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
82For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
83"""
84severity = "low"
85tags = [
86 "Domain: Endpoint",
87 "OS: Linux",
88 "Use Case: Threat Detection",
89 "Tactic: Defense Evasion",
90 "Data Source: Elastic Defend",
91 "Resources: Investigation Guide",
92]
93timestamp_override = "event.ingested"
94type = "esql"
95
96query = '''
97from logs-endpoint.events.process-*
98| where
99 @timestamp > now() - 1h and
100 host.os.type == "linux" and
101 event.type == "start" and
102 event.action == "exec" and (
103 (
104 process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and
105 process.command_line like "*-*d*"
106 ) or
107 (
108 process.name == "openssl" and
109 process.args == "enc" and
110 process.args in ("-d", "-base64", "-a")
111 ) or
112 (
113 process.name like "python*" and (
114 (
115 process.args == "base64" and
116 process.args in ("-d", "-u", "-t")
117 ) or
118 (
119 process.args == "-c" and
120 process.command_line like "*base64*" and
121 process.command_line like "*b64decode*"
122 )
123 )
124 ) or
125 (
126 process.name like "perl*" and
127 process.command_line like "*decode_base64*"
128 ) or
129 (
130 process.name like "ruby*" and
131 process.args == "-e" and
132 process.command_line like "*Base64.decode64*"
133 )
134 )
135| keep
136 @timestamp,
137 host.os.type,
138 event.type,
139 event.action,
140 process.name,
141 process.args,
142 process.command_line,
143 agent.id,
144 host.name
145| stats
146 Esql.event_count = count(),
147 Esql.agent_id_count_distinct = count_distinct(agent.id),
148 Esql.host_name_values = values(host.name),
149 Esql.agent_id_values = values(agent.id)
150 by process.name, process.command_line
151| where
152 Esql.agent_id_count_distinct == 1 and
153 Esql.event_count < 15
154| sort Esql.event_count asc
155| limit 100
156'''
157
158
159[[rule.threat]]
160framework = "MITRE ATT&CK"
161[[rule.threat.technique]]
162id = "T1027"
163name = "Obfuscated Files or Information"
164reference = "https://attack.mitre.org/techniques/T1027/"
165
166[[rule.threat.technique]]
167id = "T1140"
168name = "Deobfuscate/Decode Files or Information"
169reference = "https://attack.mitre.org/techniques/T1140/"
170
171
172[rule.threat.tactic]
173id = "TA0005"
174name = "Defense Evasion"
175reference = "https://attack.mitre.org/tactics/TA0005/"
176[[rule.threat]]
177framework = "MITRE ATT&CK"
178[[rule.threat.technique]]
179id = "T1059"
180name = "Command and Scripting Interpreter"
181reference = "https://attack.mitre.org/techniques/T1059/"
182[[rule.threat.technique.subtechnique]]
183id = "T1059.004"
184name = "Unix Shell"
185reference = "https://attack.mitre.org/techniques/T1059/004/"
186
187
188[[rule.threat.technique]]
189id = "T1204"
190name = "User Execution"
191reference = "https://attack.mitre.org/techniques/T1204/"
192[[rule.threat.technique.subtechnique]]
193id = "T1204.002"
194name = "Malicious File"
195reference = "https://attack.mitre.org/techniques/T1204/002/"
196
197
198
199[rule.threat.tactic]
200id = "TA0002"
201name = "Execution"
202reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Base64 Encoding/Decoding Activity
Base64 encoding is a method to convert binary data into ASCII text, often used for data transmission. Adversaries exploit this to obfuscate malicious payloads or commands, bypassing security controls. The detection rule identifies suspicious Base64 activity on Linux by monitoring specific processes and command patterns, flagging anomalies for further investigation.
Possible investigation steps
- Review the process name and command line arguments to understand the context of the Base64 activity. Check if the process name matches known legitimate applications or scripts.
- Examine the timestamp of the event to determine if the activity occurred during normal operational hours or if it coincides with other suspicious activities.
- Investigate the host operating system type and agent ID to identify the specific Linux system involved and assess if it has a history of similar alerts or other security incidents.
- Analyze the process command line for any unusual patterns or parameters that might indicate obfuscation or malicious intent, such as the presence of decode flags or unexpected Base64 operations.
- Correlate the event with other logs or alerts from the same host or network to identify potential lateral movement or coordinated attacks.
- Check for any recent changes or deployments on the affected system that might explain the Base64 activity, such as new software installations or updates.
- Consult threat intelligence sources to determine if the observed Base64 patterns or command line arguments are associated with known malware or attack techniques.
False positive analysis
- Routine administrative scripts may use base64 encoding for legitimate data processing tasks. Review the process.command_line and process.args fields to identify known scripts and consider excluding them from the rule.
- Backup or data transfer operations might employ base64 encoding to handle binary data. Verify the process.name and process.command_line to ensure these operations are recognized and add exceptions for these specific processes.
- Development environments often use base64 encoding for testing purposes. Identify development-related processes by examining the process.name and process.command_line and exclude them if they are part of regular development activities.
- Automated system monitoring tools might trigger this rule if they use base64 encoding for log or data analysis. Check the agent.id and process.command_line to confirm these tools and exclude them from the rule if they are verified as non-threatening.
- Security tools that perform data encoding for analysis or reporting could be flagged. Validate these tools by reviewing the process.name and process.command_line and create exceptions for them if they are part of the security infrastructure.
Response and remediation
- Isolate the affected Linux system from the network to prevent further data exfiltration or lateral movement by the adversary.
- Terminate any suspicious processes identified by the alert, particularly those involving base64 encoding/decoding, to halt potential malicious activity.
- Conduct a thorough review of the process command lines and arguments flagged by the alert to identify any malicious scripts or payloads. Remove or quarantine these files as necessary.
- Check for any unauthorized user accounts or privilege escalations that may have been established during the attack and revoke access immediately.
- Restore any affected systems or files from a known good backup to ensure the integrity of the system and data.
- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the suspicious base64 activity.
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts exist.
Related rules
- Potential Impersonation Attempt via Kubectl
- Kubeconfig File Creation or Modification
- Potential Hex Payload Execution via Command-Line
- Potential Kubectl Masquerading via Unexpected Process
- Suspicious Kernel Feature Activity