From 4f4ef7a8cc077b2b54c71c598db50fe8b1f14d55 Mon Sep 17 00:00:00 2001 From: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com> Date: Mon, 4 Nov 2024 12:15:00 +0100 Subject: [PATCH] Merge PR #5042 from @wieso-itzi - Update Python PTY rules update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods. update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage. --------- Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_lnx_python_pty_spawn.yml | 21 ++++++++++--------- ...proc_creation_lnx_python_reverse_shell.yml | 10 +++++---- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index a75bd0cbd09..374279fbf01 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -1,15 +1,16 @@ -title: Python Spawning Pretty TTY +title: Python Spawning Pretty TTY Via PTY Module id: c4042d54-110d-45dd-a0e1-05c47822c937 related: - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 type: similar status: test -description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity +description: | + Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity. references: - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ author: Nextron Systems date: 2022-06-03 -modified: 2023-06-16 +modified: 2024-11-04 tags: - attack.execution - attack.t1059 @@ -25,13 +26,13 @@ detection: - Image|contains: - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink - '/python3.' - selection_cli_1: - CommandLine|contains|all: + selection_cli_import: + CommandLine|contains: - 'import pty' - - '.spawn(' - selection_cli_2: - CommandLine|contains: 'from pty import spawn' - condition: selection_img and 1 of selection_cli_* + - 'from pty ' + selection_cli_spawn: + CommandLine|contains: 'spawn' + condition: all of selection_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml index 218f8e6e99c..202d8034fc6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml @@ -1,15 +1,16 @@ -title: Potential Python Reverse Shell +title: Python Reverse Shell Execution Via PTY And Socket Modules id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 related: - id: c4042d54-110d-45dd-a0e1-05c47822c937 type: similar status: test -description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell +description: | + Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell. references: - - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' date: 2023-04-24 +modified: 2024-11-04 tags: - attack.execution logsource: @@ -22,7 +23,8 @@ detection: - ' -c ' - 'import' - 'pty' - - 'spawn(' + - 'socket' + - 'spawn' - '.connect' condition: selection falsepositives: