heroui logo

Base16 or Base32 Encoding/Decoding Activity

Elastic Detection Rules

View Source
Summary
This detection rule focuses on identifying suspicious encoding and decoding activities using Base16 or Base32 methods on Linux systems, which adversaries may use to obfuscate their actions and evade detection by security controls. The rule detects when processes that are typically associated with these encoding methods are executed, while filtering out common benign usages of these processes, such as help or version checks. The rule is primarily aimed at monitoring event types linked to process starts and captures entries specifically tied to processes named 'base16', 'base32', 'base32plain', or 'base32hex'. False positives may occur due to legitimate automated tools and scripts that also utilize these encoding methods. Therefore, the setup includes mechanisms to manage these false positives by analyzing user accounts and process contexts. The rule targets endpoints and integrates with various data sources such as Elastic Defend and Auditbeat, making it crucial for enhancing endpoint security by revealing potential data obfuscation tactics used by attackers.
Categories
  • Endpoint
  • Linux
  • Cloud
Data Sources
  • Process
  • Container
  • User Account
  • Application Log
  • Network Traffic
ATT&CK Techniques
  • T1027
  • T1140
Created: 2020-04-17