MATCH-S00686.md

Rules: Base64 Decode in Command Line

Description

Malicious files are often encoded in an attempt to bypass security controls that would otherwise inspect the contents of said file. An attacker would then need to decode the malicious file for use on the victim machine using a utility such as certutil or the base64 command. This rule supports detection for standard decoding utilities on Unix, Windows cmd, Windows PowerShell, and MacOS.

Additional Details

Detail	Value
Type	Templated Match
Category	Defense Evasion
Apply Risk to Entities	device_hostname, device_ip, user_username
Signal Name	Base64 Decode in Command Line
Summary Expression	A base64-encoded file was decoded on host {{device_hostname}} by user {{user_username}}
Score/Severity	Static: 4
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0005, _mitreAttackTechnique:T1140, _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1132.001, _mitreAttackTechnique:T1132

Vendors and Products

• CrowdStrike - FDR
• Linux - Linux OS Syslog
• Linux - Sysmon for Linux
• Microsoft - Azure
• Microsoft - Office 365
• Microsoft - Windows

Fields Used

Origin	Field
Normalized Schema	commandLine
Normalized Schema	device_hostname
Normalized Schema	device_ip
Normalized Schema	user_username