This detection rule aims to identify when the base64 utility on Linux systems is used to decode base64-encoded text. The primary detection mechanism focuses on the process creation event of the base64 utility, specifically looking for indications that the utility is invoked with the '-d' command-line option, which denotes a decode operation. The rule utilizes a baseline configuration to monitor image paths that end with '/base64' and checks if the command line contains the '-d' flag. Since this action can be part of legitimate operations, such as legitimate script executions or system processes, it is important to consider the context in which it occurs. The level of alert generated by this rule is categorized as low, as it can frequently trigger false positives related to benign activities. Although useful for identifying potential misuse, it is advisable to analyze the surrounding context of the invocation to determine if it represents an actual attack or abuse of the system.