From c2f088e71889b6c7cbe69453b046b3fc26219a39 Mon Sep 17 00:00:00 2001
From: litemars <maxmassi12@gmail.com>
Date: Wed, 27 May 2026 21:54:16 +0200
Subject: [PATCH] fine tuning

---
 rules/linux/defense_evasion_base64_decoding_activity.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml
index 3f0e0cabd9c..65e97517f9a 100644
--- a/rules/linux/defense_evasion_base64_decoding_activity.toml
+++ b/rules/linux/defense_evasion_base64_decoding_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/05/27"
 
 [rule]
 author = ["Elastic"]
@@ -101,7 +101,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version
     event.action == "exec" and (
         (
             process.name in ("base64", "base64plain", "base64url", "base64mime", "base64pem", "base32", "base16") and
-            process.command_line like "*-*d*"
+            process.args in ("-d", "--decode", "-D")
         ) or
         (
             process.name == "openssl" and