Detects Linux-based Python one-liners that decode and execute base64-encoded payloads. The rule focuses on command-line executions where Python is invoked with a -c option and imports the base64 module, followed by usage of base64 decoding functions to produce executable payloads. It leverages three gated checks: (1) the process image path contains /python (selection_img), indicating a Python interpreter, (2) the command line contains both Python invocation elements and base64-related usage (selection_cli) including “import” and “ -c”, and (3) the command line contains various base64 decoding calls such as .decode, b16decode, b32decode, b32hexdecode, b64decode, b85decode, z85decode. All conditions must be met for a match. This pattern aligns with techniques for executing obfuscated code (MITRE ATT&CK T1059.006) and evading detection (T1027.010) through on-the-fly base64 decoding in Python. The detection is categorized under Linux process creation with emphasis on command-line analysis and Python-based execution. False positives include legitimate uses of Python for data processing or configuration tasks that decode data, which may occur in development or data analysis contexts. The rule supports proactive threat detection in Linux environments by correlating process creation with Python base64 decoding workflows, enabling rapid response to potential payload delivery via obfuscated one-liners.