This rule detects instances where interactive executions of potential defense evasion techniques take place using encoded payloads within Linux containers. Attackers may utilize base64 encoding or other obfuscation techniques to avoid detection by various security measures. The rule identifies when common encoding/decoding commands are executed interactively, which may indicate attempts to decode hidden payloads or command-and-control traffic. An attacker can exploit these methods by executing commands to decode base64 blobs directly in a container session, often followed by executing malicious commands silently. Possible investigative actions include confirming the nature of the executed commands, monitoring subsequent activities following the initial command, validating user permissions, and searching for any signs of compromise or unauthorized access. Mitigation involves quarantining affected containers, collecting forensic data, and validating the authenticity of user actions.