Adversaries may use inline Python code execution via the OS system library to spawn a shell and establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or remote code execution threats.
Detection Rule
title: Inline Python Execution - Spawn Shell Via OS System Library
id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
status: test
description: |
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
references:
- https://gtfobins.github.io/gtfobins/python/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'os.system('
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where ((TargetProcessName endswith "/python" or TargetProcessName endswith "/python2" or TargetProcessName endswith "/python3") or (TargetProcessName contains "/python2." or TargetProcessName contains "/python3.")) and ((TargetProcessCommandLine contains " -c " and TargetProcessCommandLine contains "os.system(") and (TargetProcessCommandLine contains "/bin/bash" or TargetProcessCommandLine contains "/bin/dash" or TargetProcessCommandLine contains "/bin/fish" or TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "/bin/zsh"))Scenario: Scheduled System Maintenance via Task Scheduler
Description: A system administrator schedules a Python script via Windows Task Scheduler to perform routine maintenance (e.g., log rotation, disk cleanup).
Filter/Exclusion: Check for CommandLine containing schtasks or Task Scheduler in the parent process, or filter by known maintenance script paths (e.g., C:\Windows\System32\).
Scenario: Python-based CI/CD Pipeline Job
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) runs a Python script to build or deploy code, which includes inline Python code execution.
Filter/Exclusion: Filter by process names like jenkins.exe, github-runner.exe, or dockerd.exe, or check for presence of CI/CD environment variables (e.g., GITHUB_ACTIONS, JENKINS_HOME).
Scenario: Admin Task Using Python for Reporting
Description: An admin uses Python scripts (e.g., pandas, matplotlib) to generate reports or export data from internal databases.
Filter/Exclusion: Filter by known admin tools or script locations (e.g., C:\Program Files\Python39\, C:\Users\Administrator\Scripts\). Check for presence of reporting tools or database connection strings.
Scenario: Inline Python in Ansible Playbooks
Description: Ansible playbooks may include inline Python code for configuration management or automation tasks.
Filter/Exclusion: Check for ansible-playbook in the parent process, or filter by Ansible-related directories (e.g., C:\Program Files\Ansible\, ~/.ansible/).
Scenario: Python Script for Log Analysis
Description: A Python script is used to parse and analyze system logs, which may include