EXPLORE
Sign In
← Back to Explore
T1059.006

Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020) Python comes with many built-in packages to...

ESXiLinuxmacOSWindows
43
Detections
2
Sources
17
Threat Actors

BY SOURCE

41elastic2sigma

PROCEDURES (32)

Inject3 detections

Auto-extracted: 3 detections for inject

C23 detections

Auto-extracted: 3 detections for c2

Http2 detections

Auto-extracted: 2 detections for http

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Child Process2 detections

Auto-extracted: 2 detections for child process

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Base642 detections

Auto-extracted: 2 detections for base64

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Command And Control1 detections

Auto-extracted: 1 detections for command and control

Lateral1 detections

Auto-extracted: 1 detections for lateral

Download1 detections

Auto-extracted: 1 detections for download

Download1 detections

Auto-extracted: 1 detections for download

Container1 detections

Auto-extracted: 1 detections for container

Lateral1 detections

Auto-extracted: 1 detections for lateral

Remote1 detections

Auto-extracted: 1 detections for remote

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Inject1 detections

Auto-extracted: 1 detections for inject

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Lateral1 detections

Auto-extracted: 1 detections for lateral

Download1 detections

Auto-extracted: 1 detections for download

Privilege1 detections

Auto-extracted: 1 detections for privilege

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Base641 detections

Auto-extracted: 1 detections for base64

Inject1 detections

Auto-extracted: 1 detections for inject

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

THREAT ACTORS (17)

APT29APT37APT39BRONZE BUTLERCinnamon TempestContagious InterviewDragonflyEarth LuscaKimsukyMacheteMuddyWaterRedCurlRockeTonto TeamTurlaUNC3886ZIRCONIUM

DETECTIONS (43)

AppLocker Prevented Application or Script from Running
sigmamedium
Base64 Decoded Payload Piped to Interpreter
elastichigh
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
Deprecated - EggShell Backdoor Execution
elastichigh
Encoded Payload Detected via Defend for Containers
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution with Explicit Credentials via Scripting
elasticmedium
First Time Python Spawned a Shell on Host
elasticmedium
Google Calendar C2 via Script Interpreter
elastichigh
Interactive Terminal Spawned via Python
elastichigh
Payload Execution via Shell Pipe Detected by Defend for Containers
elasticmedium
Perl Outbound Network Connection
elasticmedium
Potential Etherhiding C2 via Blockchain Connection
elastichigh
Potential Hex Payload Execution via Common Utility
elasticlow
Potential JAVA/JNDI Exploitation Attempt
elastichigh
Potential Privilege Escalation via Python cap_setuid
elastichigh
Potential Reverse Shell via Suspicious Child Process
elastichigh
Potential Reverse Shell via UDP
elasticmedium
Potential SAP NetWeaver Exploitation
elastichigh
Process Spawned from Message-of-the-Day (MOTD)
elastichigh
Python Path File (pth) Creation
elasticlow
Python Site or User Customize File Creation
elasticlow
ROT Encoded Python Script Execution
elasticmedium
Script Interpreter Connection to Non-Standard Port
elasticmedium
Simple HTTP Web Server Connection
elasticlow
Simple HTTP Web Server Creation
elasticlow
Suspicious APT Package Manager Execution
elasticlow
Suspicious AWS S3 Connection via Script Interpreter
elasticmedium
Suspicious Browser Child Process
elastichigh
Suspicious Curl to Jamf Endpoint
elastichigh
Suspicious Emond Child Process
elasticmedium
Suspicious File Characteristics Due to Missing Fields
sigmamedium
Suspicious Installer Package Spawns Network Event
elasticmedium
Suspicious Interpreter Execution Detected via Defend for Containers
elasticmedium
Suspicious macOS MS Office Child Process
elasticmedium
Suspicious Python Shell Command Execution
elasticmedium
Suspicious React Server Child Process
elastichigh
Unusual Base64 Encoding/Decoding Activity
elasticlow
Unusual Library Load via Python
elastichigh
Unusual Process Spawned from Web Server Parent
elasticlow
Web Server Potential Command Injection Request
elasticlow
Web Server Spawned via Python
elasticmedium