This detection rule identifies malicious activities in Linux environments where an attacker may be using Base64 encoded commands to obfuscate their execution via a shell. The rule is primarily designed to catch command lines that contain 'base64' followed by subsequent shell command executions initiated using pipes to 'bash' or 'sh'. Such behavior is commonly associated with attack techniques aimed at avoiding detection during command execution. The detection logic combines specific keyword searches within the command line, aiming to filter out suspicious process creation events that could indicate execution of payloads that have been encoded for evasion purposes. Additionally, this rule acknowledges potential legitimate uses of similar command structures, hence assigns it a medium alert level to mitigate false positives prompted by routine administrative tasks. Administrators are encouraged to monitor logged instances and inspect any alerts generated for further investigation.