Techniques
Sample rules
Python Script Execution via Command Line
- source: elastic
- technicques:
- T1059
Description
Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use this method to execute malicious scripts and avoiding writing it to disk.
Detection logic
process where event.type in ("start", "process_started") and
process.name : "python*" and process.args : "-c" and process.args : "*import*sys*"