Potential Python Reverse Shell
Detects executing python with keywords related to network activity that could indicate a potential reverse shell
Sigma rule (View on GitHub)
1title: Potential Python Reverse Shell
2id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
3related:
4 - id: c4042d54-110d-45dd-a0e1-05c47822c937
5 type: similar
6status: test
7description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell
8references:
9 - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
10 - https://www.revshells.com/
11author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
12date: 2023/04/24
13tags:
14 - attack.execution
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|contains: 'python'
21 CommandLine|contains|all:
22 - ' -c '
23 - 'import'
24 - 'pty'
25 - 'spawn('
26 - '.connect'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...
Read More -
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More
Related rules
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- HackTool - Stracciatella Execution
- Install New Package Via Winget Local Manifest
- Local Privilege Escalation Indicator TabTip