This detection rule identifies attempts to pipe a base64 decoded payload into an interpreter on Linux systems. The underlying principle of this tactic involves attackers utilizing base64 encoding to obfuscate malicious payloads, which, once decoded, are executed in various interpreters, including shell environments and scripting languages. Such techniques are often employed by adversaries to bypass host or network security measures by disguising the true nature of the executed command. The rule leverages the Elastic Query Language (EQL) to monitor process events and spot potential malicious behaviors by tracking the sequence of processes initiated on the endpoint. Specifically, it looks for processes associated with known base64 utilities (like 'base64', 'openssl') followed by common interpreters (such as 'bash', 'python', 'perl'). By establishing sequences of actions occurring within specified timeframes (maxspan), this rule aims to accurately capture potentially harmful activities embedded within legitimate operational workflows and detect unusual execution patterns that may correspond to obfuscation tactics.