Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution

new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux

---------

Co-authored-by: Hugh <HueCodes@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-03T11:07:20.148927Z"
+        }
+      },
+      "EventRecordID": 125587,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-03 11:07:20.128",
+      "ProcessGuid": "0197231E-9F68-69CF-B607-000000000D00",
+      "ProcessId": 11068,
+      "Image": "C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe",
+      "FileVersion": "3.14.3",
+      "Description": "Python",
+      "Product": "Python",
+      "Company": "Python Software Foundation",
+      "OriginalFileName": "python.exe",
+      "CommandLine": "\"C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe\"  -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"",
+      "CurrentDirectory": "C:\\Users\\xodih\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-A4BA-69C9-53F1-010000000000",
+      "LogonId": "0x1f153",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=39FB1E3B7EE5BD0EE1300F4824990B06,SHA256=CCE21C0E8710E304273E98AC4B2B0F5ACEB639ACBCD2343CBAA5C4E81619C45B,IMPHASH=A0FAD384DB41CC8B86FA51996BB88AC7",
+      "ParentProcessGuid": "0197231E-9F67-69CF-B507-000000000D00",
+      "ParentProcessId": 5540,
+      "ParentImage": "C:\\Program Files\\WindowsApps\\PythonSoftwareFoundation.PythonManager_26.1.240.0_x64__qbz5n2kfra8p0\\python3.exe",
+      "ParentCommandLine": "python3  -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml

@@ -0,0 +1,13 @@
+id: 0f8f39eb-751f-4100-8ca6-34ce3c3105d7
+description: N/A
+date: 2026-04-03
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+      title: Python One-Liners with Base64 Decoding
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx

rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml

@@ -0,0 +1,43 @@
+title: Python One-Liners with Base64 Decoding - Linux
+id: 55e862a8-dd9c-4651-807a-f21fcad56716
+related:
+    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+      type: similar
+status: experimental
+description: |
+    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
+    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
+references:
+    - https://docs.python.org/3/library/base64.html
+    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-03-09
+tags:
+    - attack.execution
+    - attack.t1059.006
+    - attack.defense-evasion
+    - attack.t1027.010
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|contains: '/python'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'import'
+            - 'base64'
+            - ' -c'
+        CommandLine|contains:
+            - '.decode'
+            - 'b16decode'
+            - 'b32decode'
+            - 'b32hexdecode'
+            - 'b64decode'
+            - 'b85decode'
+            - 'z85decode'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
+level: high

rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml

@@ -0,0 +1,45 @@
+title: Python One-Liners with Base64 Decoding
+id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+related:
+    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
+      type: similar
+status: experimental
+description: |
+    Detects Python one-liners that use base64 decoding functions in command line executions.
+    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
+references:
+    - https://docs.python.org/3/library/base64.html
+    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-03-09
+tags:
+    - attack.execution
+    - attack.t1059.006
+    - attack.defense-evasion
+    - attack.t1027.010
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|contains: '\python'
+        - OriginalFileName|contains: 'python'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'import'
+            - 'base64'
+            - ' -c'
+        CommandLine|contains:
+            - '.decode'
+            - 'b16decode'
+            - 'b32decode'
+            - 'b32hexdecode'
+            - 'b64decode'
+            - 'b85decode'
+            - 'z85decode'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml