Techniques
Sample rules
Python Inline Command Execution
- source: sigma
- technicques:
- t1059
Description
Detects execution of python using the “-c” flag. This is could be used as a way to launch a reverse shell or execute live python code.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_python:
ParentCommandLine|contains: -E -s -m ensurepip -U --default-pip
ParentImage|endswith: \python.exe
ParentImage|startswith: C:\Program Files\Python
filter_optional_pip:
CommandLine|contains|all:
- <pip-setuptools-caller>
- exec(compile(
filter_optional_vscode:
ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe
selection_cli:
CommandLine|contains: ' -c'
selection_img:
- OriginalFileName: python.exe
- Image|endswith:
- python.exe
- python3.exe
- python2.exe