Python Script Execution via Command Line

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux OS: macOS OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use this method to execute malicious scripts and avoiding writing it to disk.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/13"
 3integration = ["endpoint"]
 4maturity = "development"
 5updated_date = "2023/06/22"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use
11this method to execute malicious scripts and avoiding writing it to disk.
12"""
13false_positives = ["Legitimate Python scripting activity."]
14from = "now-9m"
15index = ["auditbeat-*", "logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Python Script Execution via Command Line"
19note = """## Setup
20
21If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
22"""
23risk_score = 47
24rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31process where event.type in ("start", "process_started") and
32 process.name : "python*" and process.args : "-c" and process.args : "*import*sys*"
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1059"
40name = "Command and Scripting Interpreter"
41reference = "https://attack.mitre.org/techniques/T1059/"
42[[rule.threat.technique.subtechnique]]
43id = "T1059.006"
44name = "Python"
45reference = "https://attack.mitre.org/techniques/T1059/006/"
46[[rule.threat.technique.subtechnique]]
47id = "T1059.003"
48name = "Windows Command Shell"
49reference = "https://attack.mitre.org/techniques/T1059/003/"
50
51
52
53[rule.threat.tactic]
54id = "TA0002"
55name = "Execution"
56reference = "https://attack.mitre.org/tactics/TA0002/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

Related rules

to-top