legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.

t1046
windows
sigma

Techniques

t1046

Sample rules

Python Initiated Connection

source: sigma
technicques:
- t1046

Description

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_local_communication:
  DestinationIp: 127.0.0.1
  SourceIp: 127.0.0.1
filter_optional_conda:
  CommandLine|contains|all:
  - :\ProgramData\Anaconda3\Scripts\conda-script.py
  - update
  ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
filter_optional_conda_jupyter_notebook:
  CommandLine|contains: C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py
  ParentImage: C:\ProgramData\Anaconda3\python.exe
selection:
  Image|contains: python
  Initiated: 'true'