Elastic Security Detection Rules

Decoded Payload Piped to Interpreter Detected via Defend for Containers

Last updated 10 days ago on 2026-03-05
Created 10 days ago on 2026-03-05

About

This rule detects the execution of a base64 decoded payload to an interpreter inside a container. Attackers may use this technique to execute malicious code, while attempting to evade detection.
Tags
Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionTactic: ExecutionLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Obfuscated Files or Information (T1027)(external, opens in a new tab or window)

Deobfuscate/Decode Files or Information (T1140)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

User Execution (T1204)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-cloud_defend.process*
Related Integrations

cloud_defend(external, opens in a new tab or window)

Query
text code block:
sequence by process.parent.entity_id, container.id with maxspan=3s
  [process where event.type == "start" and event.action == "exec" and container.id like "?*" and (
    (
      (
        process.name in ("base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16") or
        (
          process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
          process.args in ("base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16")
        )
      ) and
      process.args like~ "*-*d*"
    ) or
    (
      process.name == "openssl" and
      process.args == "enc" and process.args in ("-d", "-base64", "-a", "-A")
    ) or
    (
      process.name like "python*" and (
        (process.args == "base64" and process.args in ("-d", "-u", "-t")) or
        (process.args == "-c" and process.args like "*base64*" and process.args like~ "*b64decode*")
      )
    ) or
    (
      process.name like "perl*" and
      process.args like~ "*decode_base64*"
    ) or
    (
      process.name like "ruby*" and
      process.args == "-e" and
      process.args like~ "*Base64.decode64*"
    )
  )]
  [process where event.type == "start" and event.action == "exec" and process.name like (
    "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox",
    "python*", "perl*", "ruby*", "lua*", "php*"
  ) and
  process.args like (
    "-bash", "-dash", "-sh", "-tcsh", "-csh", "-zsh", "-ksh", "-fish", "-busybox",
    "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox",
    "/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh",
    "/bin/zsh", "/bin/ksh", "/bin/fish", "/bin/busybox",
    "/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh",
    "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish",
    "/usr/bin/busybox",
    "*python*", "*perl*", "*ruby*", "*lua*", "*php*", "/dev/fd/*"
  ) and
  not (
    process.working_directory like (
      "/usr/local/zeek", "/opt/zeek", "/var/lib/docker/overlay2/*/opt/zeek", "/usr/local/zeek_old_install",
      "/var/lib/docker/overlay2/*/usr/local/zeek", "/proc/self/fd/*/usr/local/zeek"
    ) or
    process.args in (
      "which", "/bin/which", "/usr/bin/which", "/usr/local/bin/which",
      "man", "/bin/man", "/usr/bin/man", "/usr/local/bin/man",
      "chmod", "/bin/chmod", "/usr/bin/chmod", "/usr/local/bin/chmod",
      "chown", "/bin/chown", "/usr/bin/chown", "/usr/local/bin/chown"
    )
  )]

Install detection rules in Elastic Security

Detect Decoded Payload Piped to Interpreter Detected via Defend for Containers in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).