The hypothesis is that an adversary is using a tool to inject arbitrary code into running Python processes to maintain persistence or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of Python-based applications and prevent further lateral movement or data exfiltration.
YARA Rule
rule hacktool_multi_pyrasite_py
{
meta:
description = "A tool for injecting arbitrary code into running Python processes."
reference = "https://github.com/lmacken/pyrasite"
author = "@fusionrace"
id = "92cef916-5919-562f-ae5a-06a1e79a8197"
strings:
$s1 = "WARNING: ptrace is disabled. Injection will not work." fullword ascii wide
$s2 = "A payload that connects to a given host:port and receives commands" fullword ascii wide
$s3 = "A reverse Python connection payload." fullword ascii wide
$s4 = "pyrasite - inject code into a running python process" fullword ascii wide
$s5 = "The ID of the process to inject code into" fullword ascii wide
$s6 = "This file is part of pyrasite." fullword ascii wide
$s7 = "https://github.com/lmacken/pyrasite" fullword ascii wide
$s8 = "Setup a communication socket with the process by injecting" fullword ascii wide
$s9 = "a reverse subshell and having it connect back to us." fullword ascii wide
$s10 = "Write out a reverse python connection payload with a custom port" fullword ascii wide
$s11 = "Wait for the injected payload to connect back to us" fullword ascii wide
$s12 = "PyrasiteIPC" fullword ascii wide
$s13 = "A reverse Python shell that behaves like Python interactive interpreter." fullword ascii wide
$s14 = "pyrasite cannot establish reverse" fullword ascii wide
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Scheduled Python Script Execution
Description: A legitimate scheduled job runs a Python script using cron or Task Scheduler, which may trigger the rule due to code injection patterns.
Filter/Exclusion: Exclude processes initiated by cron or Task Scheduler using the process.parent_process_name or process.command_line fields.
Scenario: Python Virtual Environment Setup
Description: A system administrator is setting up a new Python virtual environment using venv or virtualenv, which may involve dynamic code execution.
Filter/Exclusion: Exclude processes where the command line includes venv or virtualenv and the user is a system admin.
Scenario: Code Deployment via CI/CD Pipeline
Description: A CI/CD tool like Jenkins or GitLab CI is deploying code to a Python application, which may involve injecting code during the deployment process.
Filter/Exclusion: Exclude processes initiated by CI/CD agents (e.g., jenkins, gitlab-runner) using the process.parent_process_name or process.user field.
Scenario: Python Interpreter Invocation for Debugging
Description: A developer is using pdb (Python Debugger) or ipdb to debug a script, which may involve dynamic code injection.
Filter/Exclusion: Exclude processes where the command line includes pdb, ipdb, or python -m pdb.
Scenario: System-Wide Python Module Installation
Description: An admin is using pip or pip3 to install Python modules system-wide, which may trigger code injection patterns.
Filter/Exclusion: Exclude processes where the command line includes pip install or pip3 install and the user has elevated privileges.