Python Initiated Connection

calendar Apr 7, 2025 · attack.discovery attack.t1046  ·
Share on: linkedin copy

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Sigma rule (View on GitHub)

 1title: Python Initiated Connection
 2id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
 3status: test
 4description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
 7    - https://pypi.org/project/scapy/
 8author: frack113
 9date: 2021-12-10
10modified: 2025-03-05
11tags:
12    - attack.discovery
13    - attack.t1046
14logsource:
15    category: network_connection
16    product: windows
17    definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
18detection:
19    selection:
20        Initiated: 'true'
21        Image|contains|all:
22            - '\python'
23            - '.exe'
24    filter_optional_conda:
25        # Related to anaconda updates. Command example: "conda update conda"
26        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
27        ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
28        CommandLine|contains|all:
29            - ':\ProgramData\Anaconda3\Scripts\conda-script.py'
30            - 'update'
31    filter_optional_conda_jupyter_notebook:
32        # Related to anaconda opening an instance of Jupyter Notebook
33        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
34        ParentImage: C:\ProgramData\Anaconda3\python.exe
35        CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
36    filter_main_local_communication:
37        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
38        DestinationIp: 127.0.0.1
39        SourceIp: 127.0.0.1
40    filter_main_pip:
41        CommandLine|contains|all:
42            - 'pip.exe'
43            - 'install'
44    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
45falsepositives:
46    - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
47level: medium
yaml

References

Related rules

to-top