LoFP / automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.

Techniques

• T1027
• T1140

Sample rules

Hex Encoding/Decoding Activity

• source: elastic
• technicques:
  • T1027
  • T1140

Description

Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.

Detection logic

event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd)

Base64 Encoding/Decoding Activity

• source: elastic
• technicques:
  • T1027
  • T1140

Description

Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.

Detection logic

event.category:process and event.type:(start or process_started) and
  process.name:(base64 or base64plain or base64url or base64mime or base64pem)

Base16 or Base32 Encoding/Decoding Activity

• source: elastic
• technicques:
  • T1027
  • T1140

Description

Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.

Detection logic

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
 and process.name in ("base16", "base32", "base32plain", "base32hex") and
not process.args in ("--help", "--version")