Detects a base64-encoded payload being decoded and piped to an interpreter within a container, indicating likely fileless execution and defense evasion. The rule uses a two-stage sequence: (1) a decoder process (e.g., base64, base64-like tools, OpenSSL enc -d, or language-based decoders in Python/Perl/Ruby) invoked by a start event, and (2) a subsequent interpreter process (bash/sh/ksh/dash, Python, Perl, Ruby, Lua, PHP, etc.) consuming the decoded output via arguments such as -c, -e, or direct command strings. The query ties these events to a single container instance (container.id) within a max span of 3 seconds, correlating the decoding and execution into a single pipeline to reduce false positives. The detection covers common decoders and invocation patterns across shells and scripting languages, including embedded base64 usage, piping into interpreters, and decoded payload execution in Linux containers.