This rule detects Windows process creation events where Python one-liners decode and execute base64-encoded payloads. Attackers often invoke Python with short -c commands that import base64 and call a decode function to reconstruct a payload at runtime, a common obfuscation/evasion technique. The detection looks for Python processes (image path or original file name containing python) and a command line containing both Python base64 usage and a decode function. The rule uses two data signals: process image/name matches for Python, and a command line that includes base64 usage along with common decoding calls (b16decode, b32decode, b32hexdecode, b64decode, b85decode, z85decode). It is labeled high severity and maps to MITRE ATT&CK techniques T1059.006 (Python) and T1027.010 (Obfuscated/Compressed Files). This helps identify attempts to decode and execute payloads at runtime, a frequent tactic in malware delivery and bypass/fraud. However, legitimate uses of Python for decoding data can generate false positives in development or data-analysis contexts. The detection combines image/name heuristics with command-line patterns to reduce noise. Regression tests and rule file references are provided in the rule metadata for validation.