Python executed with suspicious arguments

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1059-command-and-scripting-interpreter

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect Python code being provided and executed on the command line using the -c flag.

Strategy

Python code can be specified on the command line using the -c flag. Attackers may use this to run “one-liners” which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as socket and subprocess are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.

Triage and response

  1. Review the process tree and identify if the Python command is expected.
  2. If the command is not expected, contain the host or container and roll back to a known good configuration.
  3. Start the incident response process and determine the initial entry point.

Requires Agent version 7.27 or greater