Long Base64 Encoded Command via Scripting Interpreter

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Long Base64 Encoded Command via Scripting Interpreter

Identifies oversized command lines used by Python, PowerShell, Node.js, or Deno that contain base64 decoding or encoded-command patterns. Adversaries may embed long inline encoded payloads in scripting interpreters to evade inspection and execute malicious content across Windows, macOS, and Linux systems.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Long Base64 Encoded Command via Scripting Interpreter

This rule detects process start events where the original process.command_line field was ignored at index time due to its size, but the full command line remains available in process.command_line.text. Attackers commonly use very long base64-encoded inline commands with interpreters such as Python, PowerShell, Node.js, and Deno to conceal payloads and avoid straightforward command-line inspection.

Possible investigation steps

Review process.command_line.text to determine whether the encoded content includes shell commands, scripts, URLs, or embedded payloads.
Inspect the parent process and execution chain to understand how the interpreter was launched and whether it originated from a browser, office application, archive utility, or remote access tool.
Check whether the same host or user generated additional suspicious process, network, or file events around the same time.
If the payload can be safely decoded in an isolated environment, inspect the decoded content for follow-on execution, credential access, persistence, or download behavior.

False positive analysis

Administrative automation, packaging workflows, or developer tooling may legitimately pass large encoded blobs to scripting interpreters.
PowerShell remoting, software deployment frameworks, or internal bootstrap scripts can occasionally use encoded commands; validate the source, user, and expected automation context.

Response and remediation

Isolate the affected host if the decoded content or surrounding activity indicates malicious execution.
Terminate the suspicious interpreter process and any spawned child processes.
Preserve the full command line and related process tree for forensic analysis before making changes on the host.
Reset or revoke any credentials, tokens, or secrets exposed by the decoded payload or subsequent attacker activity.

Rule query

edit

FROM logs-endpoint.events.process-* METADATA _id, _index, _version, _ignored
| MV_EXPAND _ignored
| WHERE _ignored == "process.command_line"
| WHERE event.category == "process" and event.type == "start"
| EVAL command_line = TO_LOWER(process.command_line.text), pname = TO_LOWER(process.name)
| WHERE
(
    (
        /* Python: inline exec with base64 decode or -c flag with encoded payload */
        pname like "python*" and
        (
            command_line like "*b64decode*" or
            (command_line like "*-c*" and command_line like "*base64*")
        )
    ) or
    (
        /* PowerShell: encoded command flag — require trailing space to avoid matching
           -Encoding, -EncryptionType, -EncryptionProvider, etc. */
        (pname like "powershell*" or pname like "pwsh*") and
        (
            command_line rlike ".* -(e|en|enc|enco|encod|encode|encoded|encodedcommand) .+" or
            command_line like "*-encodedcommand*" or
            command_line like "*frombase64string*"
        )
    ) or
    (
        /* Node.js: buffer.from must be paired with base64 to avoid matching
           general Buffer usage; atob is always base64 */
        pname like "node*" and
        (
            (command_line like "*buffer.from*" and command_line like "*base64*") or
            command_line like "*atob(*"
        )
    ) or
    (
        /* Deno: eval( (not eval/evaluate/evaluation), atob, or buffer+base64 */
        pname like "deno*" and
        (
            command_line like "*atob(*" or
            (command_line like "*buffer.from*" and command_line like "*base64*") or
            command_line like "*eval(*"
        )
    )
)
| EVAL Esql.length_cmdline = LENGTH(command_line)
| WHERE Esql.length_cmdline >= 4000
| KEEP *

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Obfuscated Files or Information
- ID: T1027
- Reference URL: https://attack.mitre.org/techniques/T1027/
Technique:
- Name: Deobfuscate/Decode Files or Information
- ID: T1140
- Reference URL: https://attack.mitre.org/techniques/T1140/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/
Sub-technique:
- Name: Python
- ID: T1059.006
- Reference URL: https://attack.mitre.org/techniques/T1059/006/
Sub-technique:
- Name: JavaScript
- ID: T1059.007
- Reference URL: https://attack.mitre.org/techniques/T1059/007/

« Appendix h: Downloadable rule update v8.19.21 AWS Rare Source AS Organization Activity »