Python Script Execution via Command Line

calendar Mar 11, 2024 · Domain: Endpoint OS: Linux OS: macOS OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use this method to execute malicious scripts and avoiding writing it to disk.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/13"
 3integration = ["endpoint"]
 4maturity = "development"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/10/19"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use
13this method to execute malicious scripts and avoiding writing it to disk.
14"""
15false_positives = ["Legitimate Python scripting activity."]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Python Script Execution via Command Line"
21risk_score = 47
22rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where event.type in ("start", "process_started") and
38 process.name : "python*" and process.args : "-c" and process.args : "*import*sys*"
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1059"
46name = "Command and Scripting Interpreter"
47reference = "https://attack.mitre.org/techniques/T1059/"
48[[rule.threat.technique.subtechnique]]
49id = "T1059.006"
50name = "Python"
51reference = "https://attack.mitre.org/techniques/T1059/006/"
52[[rule.threat.technique.subtechnique]]
53id = "T1059.003"
54name = "Windows Command Shell"
55reference = "https://attack.mitre.org/techniques/T1059/003/"
56
57
58
59[rule.threat.tactic]
60id = "TA0002"
61name = "Execution"
62reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top