diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx new file mode 100644 index 000000000..b3cd3c032 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json new file mode 100644 index 000000000..9df3586f6 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-03T11:07:20.148927Z" + } + }, + "EventRecordID": 125587, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-03 11:07:20.128", + "ProcessGuid": "0197231E-9F68-69CF-B607-000000000D00", + "ProcessId": 11068, + "Image": "C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe", + "FileVersion": "3.14.3", + "Description": "Python", + "Product": "Python", + "Company": "Python Software Foundation", + "OriginalFileName": "python.exe", + "CommandLine": "\"C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe\" -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"", + "CurrentDirectory": "C:\\Users\\xodih\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-A4BA-69C9-53F1-010000000000", + "LogonId": "0x1f153", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=39FB1E3B7EE5BD0EE1300F4824990B06,SHA256=CCE21C0E8710E304273E98AC4B2B0F5ACEB639ACBCD2343CBAA5C4E81619C45B,IMPHASH=A0FAD384DB41CC8B86FA51996BB88AC7", + "ParentProcessGuid": "0197231E-9F67-69CF-B507-000000000D00", + "ParentProcessId": 5540, + "ParentImage": "C:\\Program Files\\WindowsApps\\PythonSoftwareFoundation.PythonManager_26.1.240.0_x64__qbz5n2kfra8p0\\python3.exe", + "ParentCommandLine": "python3 -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml new file mode 100644 index 000000000..3ff27b65d --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml @@ -0,0 +1,13 @@ +id: 0f8f39eb-751f-4100-8ca6-34ce3c3105d7 +description: N/A +date: 2026-04-03 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b + title: Python One-Liners with Base64 Decoding +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx diff --git a/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml b/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml new file mode 100644 index 000000000..3b8ab758b --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml @@ -0,0 +1,43 @@ +title: Python One-Liners with Base64 Decoding - Linux +id: 55e862a8-dd9c-4651-807a-f21fcad56716 +related: + - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b + type: similar +status: experimental +description: | + Detects the use of Python's base64 decoding functions in command line executions on Linux systems. + Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion. +references: + - https://docs.python.org/3/library/base64.html + - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior + - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites +author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2026-03-09 +tags: + - attack.execution + - attack.t1059.006 + - attack.defense-evasion + - attack.t1027.010 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|contains: '/python' + selection_cli: + CommandLine|contains|all: + - 'import' + - 'base64' + - ' -c' + CommandLine|contains: + - '.decode' + - 'b16decode' + - 'b32decode' + - 'b32hexdecode' + - 'b64decode' + - 'b85decode' + - 'z85decode' + condition: all of selection_* +falsepositives: + - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml b/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml new file mode 100644 index 000000000..e703204d5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml @@ -0,0 +1,45 @@ +title: Python One-Liners with Base64 Decoding +id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b +related: + - id: 55e862a8-dd9c-4651-807a-f21fcad56716 + type: similar +status: experimental +description: | + Detects Python one-liners that use base64 decoding functions in command line executions. + Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion. +references: + - https://docs.python.org/3/library/base64.html + - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior + - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites +author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2026-03-09 +tags: + - attack.execution + - attack.t1059.006 + - attack.defense-evasion + - attack.t1027.010 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|contains: '\python' + - OriginalFileName|contains: 'python' + selection_cli: + CommandLine|contains|all: + - 'import' + - 'base64' + - ' -c' + CommandLine|contains: + - '.decode' + - 'b16decode' + - 'b32decode' + - 'b32hexdecode' + - 'b64decode' + - 'b85decode' + - 'z85decode' + condition: all of selection_* +falsepositives: + - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts. +level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml