Python Spawning Pretty TTY Via PTY Module
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
Sigma rule (View on GitHub)
1title: Python Spawning Pretty TTY Via PTY Module
2id: c4042d54-110d-45dd-a0e1-05c47822c937
3related:
4 - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
5 type: similar
6status: test
7description: |
8 Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
9references:
10 - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
11author: Nextron Systems
12date: 2022-06-03
13modified: 2024-11-04
14tags:
15 - attack.execution
16 - attack.t1059
17logsource:
18 category: process_creation
19 product: linux
20detection:
21 selection_img:
22 - Image|endswith:
23 - '/python'
24 - '/python2'
25 - '/python3'
26 - Image|contains:
27 - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
28 - '/python3.'
29 selection_cli_import:
30 CommandLine|contains:
31 - 'import pty'
32 - 'from pty '
33 selection_cli_spawn:
34 CommandLine|contains: 'spawn'
35 condition: all of selection_*
36falsepositives:
37 - Unknown
38level: medium
References
-
UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to mitigate their risk. Additional observations after publication of this blog post have been shared here, with guidance on how to verify if you have been impacted by unauthorized access. Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from […]
Read More
Related rules
- Suspicious Greedy Compression Using Rar.EXE
- Add Potential Suspicious New Download Source To Winget
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Elevated System Shell Spawned From Uncommon Parent Location