PyTorch model loaded followed by shell execution

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1129-shared-modules

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

What happened

A Python process spawned a shell shortly after loading a PyTorch model. This behavior can indicate that a malicious model attempted to execute arbitrary code.

Goal

Detect Python processes that spawn a shell after loading a PyTorch model, which can indicate malicious code execution through pickle deserialization.

Strategy

PyTorch models are commonly serialized using Python’s pickle module. Because pickle can execute arbitrary code during deserialization, attackers can embed malicious payloads in a model file that run when the model is loaded.

This detection looks for a suspicious sequence of events within the same Python process:

  1. The process loads the pickle module (for example, by opening __init__*.pyc or pickle*.pyc files)
  2. The process opens a PyTorch model file (for example, *.pth)
  3. The process subsequently executes shell processes (for example, bash, sh, or zsh)

This pattern is highly suspicious, as legitimate PyTorch model loading operations should not result in shell execution.

Triage and response

  1. Review the PyTorch model that was loaded and determine its source and legitimacy.
  2. Examine the process tree to identify the parent Python process and any spawned shell commands.
  3. Check the command-line arguments and environment variables of the shell process to understand what code was executed.
  4. Investigate where the model file originated from:
    • Was it downloaded from an untrusted source?
    • Was it transferred from an external location?
    • Has the model file been modified recently?
  5. If the activity is confirmed as malicious:
    • Immediately contain the affected host or container.
    • Roll back to a known good configuration.
    • Remove or quarantine the malicious model file.
    • Review any data access or exfiltration that may have occurred.
  6. Start the incident response process and determine the initial entry point.
  7. Scan for similar malicious models across your infrastructure.
  8. Consider implementing controls to verify model integrity before loading (such as digital signatures or checksums).

Additional context

This attack vector has been observed in supply chain attacks where malicious actors distribute compromised machine learning models through model repositories, through shared storage, or by compromising legitimate model sources. The pickle serialization format used by PyTorch is inherently unsafe when deserializing untrusted data.

Requires Agent version 7.27 or greater