From c801be9f3dccde4e1d6f0eae47da5baba62814f6 Mon Sep 17 00:00:00 2001
From: HueCodes <197298026+HueCodes@users.noreply.github.com>
Date: Thu, 23 Apr 2026 05:37:28 -0700
Subject: [PATCH] Merge PR #5899 from @HueCodes - new: Python Base64 Encoded
 Inline Command Execution

new: Python Base64 Encoded Inline Command Execution - Windows
new: Python Base64 Encoded Inline Command Execution - Linux

---------

Co-authored-by: Hugh <HueCodes@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx | Bin 0 -> 69632 bytes
 .../50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json |  66 ++++++++++++++++++
 .../info.yml                                  |  13 ++++
 ...on_lnx_python_base64_encoded_execution.yml |  43 ++++++++++++
 ...on_win_python_base64_encoded_execution.yml |  45 ++++++++++++
 5 files changed, 167 insertions(+)
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..b3cd3c0321b804c165361524eea663ade554aa40
GIT binary patch
literal 69632
zcmeI0TWnlc6^7S2o*9qFp0VA;T$|vy1(Hxte81EQl|A<4W{1!Vy~xONe2LxoMr^ln
zgHTkcs`3D>D#Sw{K&TQFA>N80LP7$eikDVGm4FH=5HE#?qJSzu1)2Zf`y9{M_>$5W
zK>rz?Is3Bq+G~G%t+mh0(A;!!c5ceHUSZU54bRXj%<6)zBJaB1|M#~){;risfe46z
z2#A0Ph=2%)fCz|y2#A0Ph`^o%hUTUVGYgk2{&m08^BOhbPl2U<W-tAq`qO(V-a~-%
zJbC?3`^&`+q|7pDv%e(G-bj@9n6;t(1pbD2r`OASjCl%k@;ZPydHpq#|4!7-w&&0`
zy~UopQ2$%>C&>r4%rPJ7;@B6W@(5&$(0P4}9?IP8_4~?_<VWH^Xi820QR(PW>}kDi
z?Ehzfb2jtPPktTL27%QCulK$At#~Gu5C7r0yPJOZ%U7?xQ2))Ru@Xx4*V`9R<N|qJ
zuSwdFJz`U~U@NFUi97Xh)cM2Oq+PLjn?vU^I+8)B%|L9$mh4VDhR?E1pk)d&<0$9x
zoJGrJTSRTqrXiU}eG%=)>{0YB;Mry^_;jGuVm<ht+L(TMQ!NbE*I&h6#rw8+Z_4hm
zHE3ROGs409*Vi9}UGa|IxSF=}ZuUno*CeDaqqhrpF?PnYUrE?G7(0(nvs})C)B}+}
z9BD|{Nn3Rz(N$};75x=90<p&;iMPfp%V3?hLG*nTcZx1YHAh~{*e9W49LQ#|{8?uL
z(d81B3Ud{fN(9x`gofDD-&a*>pNhn0L23bgVXoQ|3B=q%RALvOd^u^u5aeFXIU%D^
zXt$zrYviXxR}*%x+lxz1B;<sFHKM{0;Pu^uDf<LAklR8;oGzfIq}`56961lalD4zx
zUc<gEg5xB(Q#5G}31B~u$}^G1zAsf{(pkr}0MRKJz%81DjKjkyqE8*an%T62@gU$y
zS$##2fwz=$NwFeZM*D6kq{+0zlMizl%g~l5Fepw4-}rO26`UCDm~)oISVtjOEJhKY
zxskDcXk3Be^p+K@)a%VvT5XC+f!p5s(|Y67UK7`}!=NnPWqo}fbHqvH`!7~u0au*i
zt8OB{y{BjgcGGA}<`-3w&rU#a8K20Cw53x_t=!rtdeb006S0i}<f<%P5!5+%Vlw9S
zdAMi+lH+is1!p%mt<Hi(u)cmA0?caMxW0w712qp<pm9D{!emeb6CTBQ1~zZ6YZ5JF
zJpdJP68?HVjqT*Ntim#n(CkByNX7YhdN^hGK_RtA>#DJR6^UHE9ZJ|O5QXcx8=i^-
z%daAB4VE^fIa~>pc&9Dn<S^W|x1d&MwRQ^6XQ~f5E%9k+*W$eR29*2*1D^e(?@J;W
zcqKXY2yEV*teWk9v@Kwl7r|iJnj?3eM}5J@dY0}#`s3dgel(nVYxc`;|LUENKjz|&
zC>S5!E14;L^8VcEm7e&>V7YptZ!9?T)Jy-o@7w!d$A(b~d-!t{dFt{Se4GvzC+|V0
zb{y@@i@kXA6sDhjaWR2h#Yx%we%vYM!(@<#Z?D3Fsg0Z%X0avQ=nqHZ-&>Nd#8$3=
zSRA%t78X&qIg)i-?=@F%aq2j+hS|_+Ip#<-=7S~u{~idF7G^6fP5DESJa<2`J_(oN
z!E+JzhgrDMj<ys*o2%TMXv1uBmobBo=kZ3*UfS5NFq_(ik3W1S!IX(5%vSCq%Phs<
zW2CM@Htl7*qji!`w9Y#C4XwC{djaxu7Oy8h$-->aE-UdfkrX|9*l8g#1QdyFJ7dAc
zG;=853kETUWv+@TnD$ot(cE+T8KX6_H?a}&VYbFgZM)mU&~?#8R>?b%MrqTw-dB=8
zjdg_CoIi?UPyblSf_nHU<BYE(o*45KldF$9Kfcy`R(rGp&Ka#B2hZZVr(j>4*-B?`
zm}NeNmA6GB8%iTnNJxAY;!DvoY^?W^+uC>@k}+ZLIq?xt;&F@T(HYI;j#D3DwTQ5t
z#{2c{^XuCoI!j~AqiFw4+PjlaHTdz|3wp(Y5}C{<d*eeP%)SRB62>$WB9-T(w9b_O
zILh#!jk^P7*k{woga`4w9XF2v9v76S>{0ZwjrG@1e>0M6cCVdnco}SVFQ5Eww?=El
z=T4Nn@y!?0JnC(DEj@VKSA&_ay)yf~N*HEYJB}3<ATzq*+si0lf%i_rr)E&@M=URG
zq}fr#*&^bF(K?EiufdyUoUe~Us#Kdm8-1V|)^P3)l)CV}St<_+zDL9|d6dd^?o@8X
z`Q=~3d7^WkM&yn~#5OZQ=@crrD4wh7zhJ#hu(uIJCh*+^&ditOwSxKu*v}UW(&|Iq
z6PmEYn|ku7QG#!}WX<Pcyp@jQq;JI;e*q-VVBb$8ZqK3RL68~1{#<|;oWtHtpnnA3
zv3vh2yyB$wLf=Es+ktt`xbZX4a}wiM(f$DTe-7<ycF9h_f+P6s#dxPTv2xF&r(S>l
zXS4U*2<WO7KUo{WYU!V=AU6Wv?8MCNu(OCYw&K;H9nWq&htM;C{uWnmMLU0@6|s^Y
ztfK=XdQl(1-DP*cr%u7!+c2gJ`U?0Aq1K8g$M-;Et1D4U2YR}pZwMNCFsgu-0klz9
z5gOPsgj$!gi?spVgOF&4WV@^PL#h*{4yU~pvaQg@I<39~dozM)piQ*w1fJC04=wGO
zvjfioeAB)H>I1mDTz{w2(~H`GYxVYZyV$>o*ncsK{pXS2eeC-z%`<_&AQ?;ky@I)5
z^P8j325c{n&8^Y6T`cA|jTpg9Ji+*mbJ@ngrOV}sJW3r{XCC($asz#Q44==y;~oQ-
z1@vFSFHl<AgQ#iQl2MpRe8iN;J~QI~cf8$9M7c2X|Fc9zJw!kRL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
fL_h>YKm<fU1VlgtL_h>YKm<fU1VrF}lEA+Ji$cf1

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json
new file mode 100644
index 000000000..9df3586f6
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-03T11:07:20.148927Z"
+        }
+      },
+      "EventRecordID": 125587,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-03 11:07:20.128",
+      "ProcessGuid": "0197231E-9F68-69CF-B607-000000000D00",
+      "ProcessId": 11068,
+      "Image": "C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe",
+      "FileVersion": "3.14.3",
+      "Description": "Python",
+      "Product": "Python",
+      "Company": "Python Software Foundation",
+      "OriginalFileName": "python.exe",
+      "CommandLine": "\"C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe\"  -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"",
+      "CurrentDirectory": "C:\\Users\\xodih\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-A4BA-69C9-53F1-010000000000",
+      "LogonId": "0x1f153",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=39FB1E3B7EE5BD0EE1300F4824990B06,SHA256=CCE21C0E8710E304273E98AC4B2B0F5ACEB639ACBCD2343CBAA5C4E81619C45B,IMPHASH=A0FAD384DB41CC8B86FA51996BB88AC7",
+      "ParentProcessGuid": "0197231E-9F67-69CF-B507-000000000D00",
+      "ParentProcessId": 5540,
+      "ParentImage": "C:\\Program Files\\WindowsApps\\PythonSoftwareFoundation.PythonManager_26.1.240.0_x64__qbz5n2kfra8p0\\python3.exe",
+      "ParentCommandLine": "python3  -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
new file mode 100644
index 000000000..3ff27b65d
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
@@ -0,0 +1,13 @@
+id: 0f8f39eb-751f-4100-8ca6-34ce3c3105d7
+description: N/A
+date: 2026-04-03
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+      title: Python One-Liners with Base64 Decoding
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx
diff --git a/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml b/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml
new file mode 100644
index 000000000..3b8ab758b
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml
@@ -0,0 +1,43 @@
+title: Python One-Liners with Base64 Decoding - Linux
+id: 55e862a8-dd9c-4651-807a-f21fcad56716
+related:
+    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+      type: similar
+status: experimental
+description: |
+    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
+    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
+references:
+    - https://docs.python.org/3/library/base64.html
+    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-03-09
+tags:
+    - attack.execution
+    - attack.t1059.006
+    - attack.defense-evasion
+    - attack.t1027.010
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|contains: '/python'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'import'
+            - 'base64'
+            - ' -c'
+        CommandLine|contains:
+            - '.decode'
+            - 'b16decode'
+            - 'b32decode'
+            - 'b32hexdecode'
+            - 'b64decode'
+            - 'b85decode'
+            - 'z85decode'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml b/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml
new file mode 100644
index 000000000..e703204d5
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution.yml
@@ -0,0 +1,45 @@
+title: Python One-Liners with Base64 Decoding
+id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+related:
+    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
+      type: similar
+status: experimental
+description: |
+    Detects Python one-liners that use base64 decoding functions in command line executions.
+    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
+references:
+    - https://docs.python.org/3/library/base64.html
+    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-03-09
+tags:
+    - attack.execution
+    - attack.t1059.006
+    - attack.defense-evasion
+    - attack.t1027.010
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|contains: '\python'
+        - OriginalFileName|contains: 'python'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'import'
+            - 'base64'
+            - ' -c'
+        CommandLine|contains:
+            - '.decode'
+            - 'b16decode'
+            - 'b32decode'
+            - 'b32hexdecode'
+            - 'b64decode'
+            - 'b85decode'
+            - 'z85decode'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml