Python Spawning Pretty TTY
Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
Sigma rule (View on GitHub)
1title: Python Spawning Pretty TTY
2id: c4042d54-110d-45dd-a0e1-05c47822c937
3related:
4 - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
5 type: similar
6status: test
7description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
8references:
9 - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
10author: Nextron Systems
11date: 2022-06-03
12modified: 2023-06-16
13tags:
14 - attack.execution
15 - attack.t1059
16logsource:
17 category: process_creation
18 product: linux
19detection:
20 selection_img:
21 - Image|endswith:
22 - '/python'
23 - '/python2'
24 - '/python3'
25 - Image|contains:
26 - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
27 - '/python3.'
28 selection_cli_1:
29 CommandLine|contains|all:
30 - 'import pty'
31 - '.spawn('
32 selection_cli_2:
33 CommandLine|contains: 'from pty import spawn'
34 condition: selection_img and 1 of selection_cli_*
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Add Potential Suspicious New Download Source To Winget
- Atlassian Confluence CVE-2022-26134