This detection rule is designed to identify suspicious Base64 decode operations on Linux systems, which may indicate potential malicious activities such as data exfiltration or the execution of encoded commands. Base64 encoding is often utilized for safe data transmission, but attackers might exploit it to obscure malignant payloads. The rule monitors processes executing commands with 'base64' and '-d' or '--d' options, focusing on atypical decoding activities particularly pertaining to critical system files or directories. By detecting these patterns, security teams can potentially uncover malicious threats and respond promptly, thereby mitigating risks associated with encoded malware or unauthorized access to sensitive data. It requires the ingestion of relevant Linux audit logs, specifically EXECVE and other relevant system call entries, which are processed through Splunk's Unix and Linux add-on.