diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml
index 3f0e0cabd9c..65e97517f9a 100644
--- a/rules/linux/defense_evasion_base64_decoding_activity.toml
+++ b/rules/linux/defense_evasion_base64_decoding_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/27"
 
 [rule]
 author = ["Elastic"]
@@ -101,7 +101,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version
     event.action == "exec" and (
         (
             process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and
-            process.command_line like "*-*d*"
+            process.args in ("-d", "--decode", "-D")
         ) or
         (
             process.name == "openssl" and