Python Spawning Pretty TTY Via PTY Module

calendar Nov 4, 2024 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.

Sigma rule (View on GitHub)

 1title: Python Spawning Pretty TTY Via PTY Module
 2id: c4042d54-110d-45dd-a0e1-05c47822c937
 3related:
 4    - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
 5      type: similar
 6status: test
 7description: |
 8        Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
 9references:
10    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
11author: Nextron Systems
12date: 2022-06-03
13modified: 2024-11-04
14tags:
15    - attack.execution
16    - attack.t1059
17logsource:
18    category: process_creation
19    product: linux
20detection:
21    selection_img:
22        - Image|endswith:
23              - '/python'
24              - '/python2'
25              - '/python3'
26        - Image|contains:
27              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
28              - '/python3.'
29    selection_cli_import:
30        CommandLine|contains:
31            - 'import pty'
32            - 'from pty '
33    selection_cli_spawn:
34        CommandLine|contains: 'spawn'
35    condition: all of selection_*
36falsepositives:
37    - Unknown
38level: medium

References

  • Zero-Day Exploitation of Atlassian Confluence

    UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to mitigate their risk. Additional observations after publication of this blog post have been shared here, with guidance on how to verify if you have been impacted by unauthorized access.  Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from […]


    Read More

Related rules

to-top