This detection rule targets the behavior of decoding Base64-encoded strings and executing them in a Linux shell environment. Such actions are commonly associated with malicious activities as adversaries often use Base64 encoding to hide their commands and payloads from standard visibility tools. The rule utilizes Splunk's Endpoint.Processes data model to look for specific command patterns: 'base64 -d' and 'base64 --decode', alongside filters to identify Linux shell executions. When a command is detected that suggests Base64 decoding followed by execution in a shell, it triggers an alert as this can indicate an attempt to run potentially harmful commands aimed at achieving unauthorized access or data exfiltration. Therefore, the analytic serves as a critical protective measure against unauthorized activities within Linux environments.