legitimate use of python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.

Techniques

Sample rules

Python One-Liners with Base64 Decoding - Linux

source: sigma
technicques:
- t1027
- t1027.010
- t1059
- t1059.006

Description

Detects the use of Python’s base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - .decode
  - b16decode
  - b32decode
  - b32hexdecode
  - b64decode
  - b85decode
  - z85decode
  CommandLine|contains|all:
  - import
  - base64
  - ' -c'
selection_img:
  Image|contains: /python

Python One-Liners with Base64 Decoding

source: sigma
technicques:
- t1027
- t1027.010
- t1059
- t1059.006

Description

Detects Python one-liners that use base64 decoding functions in command line executions. Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - .decode
  - b16decode
  - b32decode
  - b32hexdecode
  - b64decode
  - b85decode
  - z85decode
  CommandLine|contains|all:
  - import
  - base64
  - ' -c'
selection_img:
- Image|contains: \python
- OriginalFileName|contains: python