Python Spawning Pretty TTY on Windows

calendar Oct 17, 2023 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects python spawning a pretty tty

Sigma rule (View on GitHub)

 1title: Python Spawning Pretty TTY on Windows
 2id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
 3related:
 4    - id: 899133d5-4d7c-4a7f-94ee-27355c879d90
 5      type: derived
 6status: test
 7description: Detects python spawning a pretty tty
 8references:
 9    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
10author: Nextron Systems
11date: 2022/06/03
12tags:
13    - attack.execution
14    - attack.t1059
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        Image|endswith:
21            - 'python.exe' # no \ bc of e.g. ipython.exe
22            - 'python3.exe'
23            - 'python2.exe'
24    selection_cli_1:
25        CommandLine|contains|all:
26            - 'import pty'
27            - '.spawn('
28    selection_cli_2:
29        CommandLine|contains: 'from pty import spawn'
30    condition: selection_img and 1 of selection_cli_*
31falsepositives:
32    - Unknown
33level: high

References

  • Zero-Day Exploitation of Atlassian Confluence

    UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to mitigate their risk. Additional observations after publication of this blog post have been shared here, with guidance on how to verify if you have been impacted by unauthorized access.  Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from […]


    Read More

Related rules

to-top