automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.

Techniques

Sample rules

Hex Encoding/Decoding Activity

source: elastic
technicques:
- T1027
- T1140

Description

Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.

Detection logic

event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)

Base64 Encoding/Decoding Activity

source: elastic
technicques:
- T1027
- T1140

Description

Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.

Detection logic

event.category:process and event.type:(start or process_started) and
  process.name:(base64 or base64plain or base64url or base64mime or base64pem)

Base16 or Base32 Encoding/Decoding Activity

source: elastic
technicques:
- T1027
- T1140

Description

Base16 and Base32 are encoding schemes that convert binary data into text, making it easier to transmit and store. This rule monitors for Base16 or Base32 encoding and decoding activity on Linux systems. Attackers may use these encoding schemes to obfuscate malicious payloads, evade detection, and facilitate data exfiltration.

Detection logic

process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name in ("base16", "base32", "base32plain", "base32hex") and
not process.args in ("--help", "--version")