Python Inline Command Execution

calendar Oct 9, 2025 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Sigma rule (View on GitHub)

 1title: Python Inline Command Execution
 2id: 899133d5-4d7c-4a7f-94ee-27355c879d90
 3status: test
 4description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
 5references:
 6    - https://docs.python.org/3/using/cmdline.html#cmdoption-c
 7    - https://www.revshells.com/
 8    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-01-02
11modified: 2025-10-07
12tags:
13    - attack.execution
14    - attack.t1059
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - OriginalFileName: 'python.exe'
21        - Image|endswith:
22              - 'python.exe' # no \ bc of e.g. ipython.exe
23              - 'python3.exe'
24              - 'python2.exe'
25    selection_cli:
26        CommandLine|contains: ' -c'
27    filter_main_python_1: # Based on baseline
28        ParentImage|startswith:
29            - 'C:\Program Files\Python'
30            - 'C:\Program Files (x86)\Python'
31        ParentImage|endswith: '\python.exe'
32        ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
33    filter_main_python_trace: # Based on baseline
34        ParentImage|startswith:
35            - 'C:\Program Files\Python'
36            - 'C:\Program Files (x86)\Python'
37        CommandLine|contains|all:
38            # CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\
39            - '-W ignore::DeprecationWarning'
40            - "['install', '--no-cache-dir', '--no-index', '--find-links',"
41            - "'--upgrade', 'pip'"
42    filter_optional_vscode:
43        - ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
44        - ParentImage:
45              - 'C:\Program Files\Microsoft VS Code\Code.exe'
46              - 'C:\Program Files (x86)\Microsoft VS Code\Code.exe'
47    filter_optional_pip:
48        CommandLine|contains|all:
49            - '<pip-setuptools-caller>'
50            - 'exec(compile('
51    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
52falsepositives:
53    - Python libraries that use a flag starting with "-c". Filter according to your environment
54level: medium

References

  • 1. Command line and environment

    The CPython interpreter scans the command line and the environment for various settings. CPython implementation detail: Other implementations’ command line schemes may differ. See Alternate Impleme...


    Read More

  • Online - Reverse Shell Generator

    Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.


    Read More

  • Reverse Shell Cheat Sheet

    If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...


    Read More

Related rules

to-top