Techniques
Sample rules
Python Inline Command Execution
- source: sigma
- technicques:
- t1059
Description
Detects execution of python using the “-c” flag. This is could be used as a way to launch a reverse shell or execute live python code.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_python_1:
ParentCommandLine|contains: -E -s -m ensurepip -U --default-pip
ParentImage|endswith: \python.exe
ParentImage|startswith:
- C:\Program Files\Python
- C:\Program Files (x86)\Python
filter_main_python_trace:
CommandLine|contains|all:
- -W ignore::DeprecationWarning
- '[''install'', ''--no-cache-dir'', ''--no-index'', ''--find-links'','
- '''--upgrade'', ''pip'''
ParentImage|startswith:
- C:\Program Files\Python
- C:\Program Files (x86)\Python
filter_optional_pip:
CommandLine|contains|all:
- <pip-setuptools-caller>
- exec(compile(
filter_optional_vscode:
- ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe
- ParentImage:
- C:\Program Files\Microsoft VS Code\Code.exe
- C:\Program Files (x86)\Microsoft VS Code\Code.exe
selection_cli:
CommandLine|contains: ' -c'
selection_img:
- OriginalFileName: python.exe
- Image|endswith:
- python.exe
- python3.exe
- python2.exe