Techniques
Sample rules
Linux Obfuscated Files or Information Base64 Decode
- source: splunk
- technicques:
- T1027
Description
The following analytic identifies the use of base64 decode on Linux being utilized to deobfuscate a file. Identify the source of the file and determine if legitimate. Review parallel processes for further behavior before and after.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64 -d*","*base64 --decode*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_obfuscated_files_or_information_base64_decode_filter`