← Back to SOC feed Coverage →

Python One-Liners with Base64 Decoding - Linux

sigma HIGH SigmaHQ
T1059.006T1027.010
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-04-24T09:00:00Z · Confidence: low

Hunt Hypothesis

Detects the use of Python’s base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is

Detection Rule

Sigma (Original)

title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
      type: similar
status: experimental
description: |
    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.t1059.006
    - attack.defense-evasion
    - attack.t1027.010
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|contains: '/python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName contains "/python" and ((TargetProcessCommandLine contains "import" and TargetProcessCommandLine contains "base64" and TargetProcessCommandLine contains " -c") and (TargetProcessCommandLine contains ".decode" or TargetProcessCommandLine contains "b16decode" or TargetProcessCommandLine contains "b32decode" or TargetProcessCommandLine contains "b32hexdecode" or TargetProcessCommandLine contains "b64decode" or TargetProcessCommandLine contains "b85decode" or TargetProcessCommandLine contains "z85decode"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml