Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,711

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 3.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Python One-Liners with Base64 Decoding - Linux

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Python One-Liners with Base64 Decoding - Linux

Using Splunk · Default · sigma-cli 3.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion3.0.2
title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
      type: similar
status: experimental
description: |
    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.t1059.006
    - attack.defense-evasion
    - attack.t1027.010
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|contains: '/python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/linux/process_creation/proc_creation_lnx_python_base64_encoded_execution.yml