Python Spawning Pretty TTY

Detects python spawning a pretty tty which could be indicative of potential reverse shell activity

Sigma rule (View on GitHub)

 1title: Python Spawning Pretty TTY
 2id: c4042d54-110d-45dd-a0e1-05c47822c937
 3related:
 4    - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
 5      type: similar
 6status: experimental
 7description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
 8references:
 9    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
10author: Nextron Systems
11date: 2022/06/03
12modified: 2023/06/16
13tags:
14    - attack.execution
15    - attack.t1059
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection_img:
21        - Image|endswith:
22              - '/python'
23              - '/python2'
24              - '/python3'
25        - Image|contains:
26              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
27              - '/python3.'
28    selection_cli_1:
29        CommandLine|contains|all:
30            - 'import pty'
31            - '.spawn('
32    selection_cli_2:
33        CommandLine|contains: 'from pty import spawn'
34    condition: selection_img and 1 of selection_cli_*
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top