Python Inline Command Execution

calendar Feb 22, 2025 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Sigma rule (View on GitHub)

 1title: Python Inline Command Execution
 2id: 899133d5-4d7c-4a7f-94ee-27355c879d90
 3status: test
 4description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
 5references:
 6    - https://docs.python.org/3/using/cmdline.html#cmdoption-c
 7    - https://www.revshells.com/
 8    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-01-02
11modified: 2025-01-20
12tags:
13    - attack.execution
14    - attack.t1059
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - OriginalFileName: 'python.exe'
21        - Image|endswith:
22              - 'python.exe' # no \ bc of e.g. ipython.exe
23              - 'python3.exe'
24              - 'python2.exe'
25    selection_cli:
26        CommandLine|contains: ' -c'
27    filter_main_python: # Based on baseline
28        ParentImage|startswith: 'C:\Program Files\Python'
29        ParentImage|endswith: '\python.exe'
30        ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
31    filter_optional_vscode:
32        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
33    filter_optional_pip:
34        CommandLine|contains|all:
35            - '<pip-setuptools-caller>'
36            - 'exec(compile('
37    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
38falsepositives:
39    - Python libraries that use a flag starting with "-c". Filter according to your environment
40level: medium
yaml

References

  • 1. Command line and environment

    The CPython interpreter scans the command line and the environment for various settings. CPython implementation detail: Other implementations’ command line schemes may differ. See Alternate Impleme...


    Read More

  • Online - Reverse Shell Generator

    Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.


    Read More

  • Reverse Shell Cheat Sheet

    If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...


    Read More

Related rules

to-top