EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Python One-Liners with Base64 Decoding

Detects Python one-liners that use base64 decoding functions in command line executions. Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.

MITRE ATT&CK

T1059.006T1027.010
executiondefense-evasion

Detection Query

selection_img:
  - Image|contains: \python
  - OriginalFileName|contains: python
selection_cli:
  CommandLine|contains|all:
    - import
    - base64
    - " -c"
  CommandLine|contains:
    - .decode
    - b16decode
    - b32decode
    - b32hexdecode
    - b64decode
    - b85decode
    - z85decode
condition: all of selection_*

Author

Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2026-03-09

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.006attack.defense-evasionattack.t1027.010
Raw Content
title: Python One-Liners with Base64 Decoding
id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
related:
    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
      type: similar
status: experimental
description: |
    Detects Python one-liners that use base64 decoding functions in command line executions.
    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.t1059.006
    - attack.defense-evasion
    - attack.t1027.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\python'
        - OriginalFileName|contains: 'python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml