Python One-Liners with Base64 Decoding - Linux

Title: Python One-Liners with Base64 Decoding - Linux
Status: experimental
Description:Detects the use of Python's base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
References:
  -https://docs.python.org/3/library/base64.html
  -https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
  -https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
Author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-03-09
modified:None
Tags:

• -'attack.execution'
• -'attack.t1059.006'
• -'attack.defense-evasion'
• -'attack.t1027.010'

Logsource:

• category: process_creation
• product: linux

Detection:
  selection_img:
    Image|contains: '/python'
  selection_cli:
    CommandLine|contains|all:
      -'import'
      -'base64'
      -' -c'

    CommandLine|contains:
      -'.decode'
      -'b16decode'
      -'b32decode'
      -'b32hexdecode'
      -'b64decode'
      -'b85decode'
      -'z85decode'

  condition:all of selection_*
Falsepositives:
  -Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
Level: high