ROT Encoded Python Script Execution
Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/17"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may
11use this method to encode and obfuscate part of their malicious code in legit python packages.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "ROT Encoded Python Script Execution"
18references = [
19 "https://www.elastic.co/security-labs/dprk-code-of-conduct",
20 "https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages"
21]
22risk_score = 47
23rule_id = "5ab49127-b1b3-46e6-8a38-9e8512a2a363"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "OS: macOS",
29 "Use Case: Threat Detection",
30 "Tactic: Defense Evasion",
31 "Data Source: Elastic Defend",
32]
33type = "eql"
34
35query = '''
36sequence by process.entity_id with maxspan=1m
37 [process where host.os.type in ("windows", "macos") and event.type == "start" and process.name : "python*"]
38 [file where host.os.type in ("windows", "macos") and
39 event.action != "deletion" and process.name : "python*" and file.name : "rot_??.cpython-*.pyc*"]
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1140"
47name = "Deobfuscate/Decode Files or Information"
48reference = "https://attack.mitre.org/techniques/T1140/"
49[[rule.threat.technique]]
50id = "T1027"
51name = "Obfuscated Files or Information"
52reference = "https://attack.mitre.org/techniques/T1027/"
53[[rule.threat.technique.subtechnique]]
54id = "T1027.013"
55name = "Encrypted/Encoded File"
56reference = "https://attack.mitre.org/techniques/T1027/013/"
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Investigating the DPRK’s strategic use of Python and carefully crafted social engineering, this publication sheds light on how they breach highly secure networks with evolving and effective cyber attacks.
Read More -
RL found the VMConnect campaign continuing with malicious actors posing as recruiters, using packages and the names of financial firms to lure developers.
Read More
Related rules
- WebServer Access Logs Deleted
- Persistence via a Windows Installer
- Ingress Transfer via Windows BITS
- Microsoft Build Engine Started an Unusual Process
- Component Object Model Hijacking