Python Spawning Pretty TTY
Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
Sigma rule (View on GitHub)
1title: Python Spawning Pretty TTY
2id: c4042d54-110d-45dd-a0e1-05c47822c937
3related:
4 - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
5 type: similar
6status: experimental
7description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
8references:
9 - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
10author: Nextron Systems
11date: 2022/06/03
12tags:
13 - attack.execution
14 - attack.t1059
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection_img:
20 Image|contains:
21 - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
22 - '/python3.'
23 selection_cli_1:
24 CommandLine|contains|all:
25 - 'import pty'
26 - '.spawn('
27 selection_cli_2:
28 CommandLine|contains: 'from pty import spawn'
29 condition: selection_img and 1 of selection_cli_*
30falsepositives:
31 - Unknown
32level: high