Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Sigma rule (View on GitHub)
1title: Inline Python Execution - Spawn Shell Via OS System Library
2id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
3status: experimental
4description: |
5 Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
6references:
7 - https://gtfobins.github.io/gtfobins/python/#shell
8author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
9date: 2024-09-02
10tags:
11 - attack.execution
12 - attack.t1059
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection_img:
18 - Image|endswith:
19 - '/python'
20 - '/python2'
21 - '/python3'
22 - Image|contains:
23 - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
24 - '/python3.'
25 selection_cli:
26 CommandLine|contains|all:
27 - ' -c '
28 - 'os.system('
29 CommandLine|contains:
30 - '/bin/bash'
31 - '/bin/dash'
32 - '/bin/fish'
33 - '/bin/sh'
34 - '/bin/zsh'
35 condition: all of selection_*
36falsepositives:
37 - Unknown
38level: high
References
-
.. / python The payloads are compatible with both Python version 2 and 3. Shell It can be used to break out from restricted environments by spawning an interactive system shell. python -c 'import o...
Read More
Related rules
- Capsh Shell Invocation - Linux
- Shell Execution via Git - Linux
- Shell Execution via Rsync - Linux
- Shell Invocation Via Ssh - Linux
- Shell Invocation via Env Command - Linux