Python executed with suspicious arguments

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1059-command-and-scripting-interpreter

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

What happened

Python was executed on the command line, using the -c flag with suspicious keywords that could be used to establish a reverse shell.

Goal

Detect Python code being provided and executed on the command line using the -c flag.

Strategy

Python code can be specified on the command line using the -c flag. Attackers may use this to run “one-liners” which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as socket and subprocess are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.

Triage and response

  1. Review the process tree and identify if the Python command is expected.
  2. If the command is not expected, contain the host or container and roll back to a known good configuration.
  3. Start the incident response process and determine the initial entry point.

Requires Agent version 7.27 or greater