[New] Long Base64 Encoded Command via Scripting Interpreter

[Samirbous]

Identifies oversized command lines used by Python, PowerShell, Node.js, or Deno that contain base64 decoding or encoded-command patterns. Adversaries may embed long inline encoded payloads in scripting interpreters to evade inspection and execute malicious content across Windows, macOS, and Linux systems.

[github-actions]

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

• Detailed description of the rule.
• List any new fields required in ECS/data sources.
• Link related issues or PRs.
• Include references.

Rule Metadata Checks

• creation_date matches the date of creation PR initially merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
• min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
• index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
• integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
• setup should include the necessary steps to configure the integration.
• note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
• tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
• threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

• building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
• bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

• Provide evidence of testing and detecting the expected threat.
• Check for existence of coverage to prevent duplication.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Long Base64 Encoded Command via Scripting Interpreter (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[Aegrah]

Excluding fork here will result in FNs, because of aggregated event actions for linux and macos e.g. ["exec", "fork", "end"] would be excluded.

[Samirbous]

its not even evaluated since its an array, I will remove it.

[Aegrah]

Might be good to add lua, php, ruby, perl, java, openssl, and common shells with decoding args

[Samirbous]

may add those as a tuning if no perf/timeout issues (length + ingored fiels), let's test with 3 processes.

[Aegrah]

good to add unix shell + lua here if you increase scope based on previous comment

[Samirbous]

#5891 (comment)

[DefSecSentinel]

+1 to Aegrah's comment. An allowlist approach like event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") would be more consistent with the other cross-platform rules (e.g., the companion endpoint rule and the GitHub Actions runner rule in #5892 both use this pattern).

[Samirbous]

#5891 (comment)

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Long Base64 Encoded Command via Scripting Interpreter (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[DefSecSentinel]

Appreciate the response. Looks good.

[terrancedejesus]

Could use | KEEP *

[terrancedejesus]

Maybe a complimentary rule using https://www.elastic.co/docs/reference/query-languages/esql/functions-operators/string-functions/from_base64 and then regex for HTTP URIs. Just a thought.

[Mikaayenson]

fwiw, I tested the 4k count based on normal command_line size and it makes sense