Python Initiated Connection

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Sigma rule (View on GitHub)

 1title: Python Initiated Connection
 2id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
 3status: experimental
 4description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
 7    - https://pypi.org/project/scapy/
 8author: frack113
 9date: 2021/12/10
10modified: 2023/09/07
11tags:
12    - attack.discovery
13    - attack.t1046
14logsource:
15    category: network_connection
16    product: windows
17    definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
18detection:
19    selection:
20        Initiated: 'true'
21        Image|contains: 'python'
22    filter_optional_conda:
23        # Related to anaconda updates. Command example: "conda update conda"
24        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
25        ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
26        CommandLine|contains|all:
27            - ':\ProgramData\Anaconda3\Scripts\conda-script.py'
28            - 'update'
29    filter_optional_conda_jupyter_notebook:
30        # Related to anaconda opening an instance of Jupyter Notebook
31        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
32        ParentImage: C:\ProgramData\Anaconda3\python.exe
33        CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
34    filter_main_local_communication:
35        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
36        DestinationIp: 127.0.0.1
37        SourceIp: 127.0.0.1
38    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
39falsepositives:
40    - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
41level: medium

References

Related rules

to-top