Python Spawning Pretty TTY

Detects python spawning a pretty tty which could be indicative of potential reverse shell activity

Sigma rule (View on GitHub)

 1title: Python Spawning Pretty TTY
 2id: c4042d54-110d-45dd-a0e1-05c47822c937
 3related:
 4    - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
 5      type: similar
 6status: experimental
 7description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
 8references:
 9    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
10author: Nextron Systems
11date: 2022/06/03
12tags:
13    - attack.execution
14    - attack.t1059
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection_img:
20        Image|contains:
21            - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
22            - '/python3.'
23    selection_cli_1:
24        CommandLine|contains|all:
25            - 'import pty'
26            - '.spawn('
27    selection_cli_2:
28        CommandLine|contains: 'from pty import spawn'
29    condition: selection_img and 1 of selection_cli_*
30falsepositives:
31    - Unknown
32level: high

Related rules

to-top