Python executed with suspicious arguments
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우
언제든지 연락주시기 바랍니다.What happened
Python was executed on the command line, using the -c
flag with suspicious keywords that could be used to establish a reverse shell.
Goal
Detect Python code being provided and executed on the command line using the -c
flag.
Strategy
Python code can be specified on the command line using the -c
flag. Attackers may use this to run “one-liners” which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as socket
and subprocess
are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.
Triage and response
- Review the process tree and identify if the Python command is expected.
- If the command is not expected, contain the host or container and roll back to a known good configuration.
- Start the incident response process and determine the initial entry point.
Requires Agent version 7.27 or greater