Merge PR #5899 from @HueCodes - new: Python Base64 Encoded Inline Command Execution

new: Python Base64 Encoded Inline Command Execution - Windows new: Python Base64 Encoded Inline Command Execution - Linux --------- Co-authored-by: Hugh <HueCodes@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2026-04-23 05:37:28 -07:00
parent fc1cf467f4
commit c801be9f3d
5 changed files with 167 additions and 0 deletions
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-03T11:07:20.148927Z"
+        }
+      },
+      "EventRecordID": 125587,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-03 11:07:20.128",
+      "ProcessGuid": "0197231E-9F68-69CF-B607-000000000D00",
+      "ProcessId": 11068,
+      "Image": "C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe",
+      "FileVersion": "3.14.3",
+      "Description": "Python",
+      "Product": "Python",
+      "Company": "Python Software Foundation",
+      "OriginalFileName": "python.exe",
+      "CommandLine": "\"C:\\Users\\xodih\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe\"  -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"",
+      "CurrentDirectory": "C:\\Users\\xodih\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-A4BA-69C9-53F1-010000000000",
+      "LogonId": "0x1f153",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=39FB1E3B7EE5BD0EE1300F4824990B06,SHA256=CCE21C0E8710E304273E98AC4B2B0F5ACEB639ACBCD2343CBAA5C4E81619C45B,IMPHASH=A0FAD384DB41CC8B86FA51996BB88AC7",
+      "ParentProcessGuid": "0197231E-9F67-69CF-B507-000000000D00",
+      "ParentProcessId": 5540,
+      "ParentImage": "C:\\Program Files\\WindowsApps\\PythonSoftwareFoundation.PythonManager_26.1.240.0_x64__qbz5n2kfra8p0\\python3.exe",
+      "ParentCommandLine": "python3  -c \"import base64; exec(base64.b64decode('aW1wb3J0IHN1YnByb2Nlc3M7IHN1YnByb2Nlc3MuUG9wZW4oJ2NhbGMuZXhlJyk='))\"",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: 0f8f39eb-751f-4100-8ca6-34ce3c3105d7
+description: N/A
+date: 2026-04-03
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+      title: Python One-Liners with Base64 Decoding
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/50a0aa3d-ab16-4594-a8aa-5145a6e6792b.evtx