Detectionmediumtest
Linux Base64 Encoded Pipe to Shell
Detects suspicious process command line that uses base64 encoded input for execution with a shell
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_base64:
CommandLine|contains: 'base64 '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- ' |sh'
- '| bash'
- '| sh'
- '|bash'
condition: all of selection_*False Positives
Legitimate administration activities
MITRE ATT&CK
Rule Metadata
Rule ID
ba592c6d-6888-43c3-b8c6-689b8fe47337
Status
test
Level
medium
Type
Detection
Created
Tue Jul 26
Modified
Fri Jun 16
Author
Path
rules/linux/process_creation/proc_creation_lnx_base64_execution.yml
Raw Tags
attack.defense-evasionattack.t1140