1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", 6 "false_positives": [ 7 "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." 8 ], 9 "from": "now-9m", 10 "index": [ 11 "auditbeat-*", 12 "logs-endpoint.events.*" 13 ], 14 "language": "kuery", 15 "license": "Elastic License v2", 16 "name": "Base16 or Base32 Encoding/Decoding Activity", 17 "query": "event.category:process and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", 18 "risk_score": 21, 19 "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", 20 "severity": "low", 21 "tags": [ 22 "Elastic", 23 "Host", 24 "Linux", 25 "Threat Detection", 26 "Defense Evasion" 27 ], 28 "threat": [ 29 { 30 "framework": "MITRE ATT&CK", 31 "tactic": { 32 "id": "TA0005", 33 "name": "Defense Evasion", 34 "reference": "https://attack.mitre.org/tactics/TA0005/" 35 }, 36 "technique": [ 37 { 38 "id": "T1140", 39 "name": "Deobfuscate/Decode Files or Information", 40 "reference": "https://attack.mitre.org/techniques/T1140/" 41 }, 42 { 43 "id": "T1027", 44 "name": "Obfuscated Files or Information", 45 "reference": "https://attack.mitre.org/techniques/T1027/" 46 } 47 ] 48 } 49 ], 50 "timestamp_override": "event.ingested", 51 "type": "query", 52 "version": 7 53} 54