Python One-Liners with Base64 Decoding

 1title: Python One-Liners with Base64 Decoding
 2id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
 3related:
 4    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
 5      type: similar
 6status: experimental
 7description: |
 8    Detects Python one-liners that use base64 decoding functions in command line executions.
 9    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.    
10references:
11    - https://docs.python.org/3/library/base64.html
12    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
13    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
14author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2026-03-09
16tags:
17    - attack.execution
18    - attack.t1059.006
19    - attack.defense-evasion
20    - attack.t1027.010
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|contains: '\python'
27        - OriginalFileName|contains: 'python'
28    selection_cli:
29        CommandLine|contains|all:
30            - 'import'
31            - 'base64'
32            - ' -c'
33        CommandLine|contains:
34            - '.decode'
35            - 'b16decode'
36            - 'b32decode'
37            - 'b32hexdecode'
38            - 'b64decode'
39            - 'b85decode'
40            - 'z85decode'
41    condition: all of selection_*
42falsepositives:
43    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
44level: high
45regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml

References

• https://docs.python.org/3/library/base64.html

  
  Read More

• https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior

  
  Read More

• https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites

  
  Read More

Related rules

• Python One-Liners with Base64 Decoding - Linux
• Axios NPM Compromise Indicators - Linux
• Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
• Suspicious Usage of For Loop with Recursive Directory Search in CMD
• Suspicious Space Characters in RunMRU Registry Path - ClickFix