Python executed with suspicious arguments

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1059-command-and-scripting-interpreter

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect Python code being provided and executed on the command line using the -c flag.

Strategy

Python code can be specified on the command line using the -c flag. Attackers may use this to run “one-liners” which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as socket and subprocess are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.

Triage and response

  1. Review the process tree and identify if the Python command is expected.
  2. If the command is not expected, contain the host or container and roll back to a known good configuration.
  3. Start the incident response process and determine the initial entry point.

Requires Agent version 7.27 or greater