Adversaries may use Python’s socket and pty modules to establish a reverse shell, indicating potential command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Python for stealthy remote execution.
Detection Rule
title: Python Reverse Shell Execution Via PTY And Socket Modules
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
- id: c4042d54-110d-45dd-a0e1-05c47822c937
type: similar
status: test
description: |
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
references:
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-24
modified: 2024-11-04
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'python'
CommandLine|contains|all:
- ' -c '
- 'import'
- 'pty'
- 'socket'
- 'spawn'
- '.connect'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName contains "python" and (TargetProcessCommandLine contains " -c " and TargetProcessCommandLine contains "import" and TargetProcessCommandLine contains "pty" and TargetProcessCommandLine contains "socket" and TargetProcessCommandLine contains "spawn" and TargetProcessCommandLine contains ".connect")Scenario: Scheduled Job for Network Monitoring Tool
Description: A legitimate scheduled job runs a Python script using the socket module to periodically check network connectivity or monitor traffic.
Filter/Exclusion: Exclude processes associated with known network monitoring tools (e.g., nmap, tcpdump, or custom scripts in /opt/network-monitoring/).
Example Filter: process.name != "nmap" and process.name != "tcpdump"
Scenario: Admin Task for Remote Debugging
Description: An administrator uses a Python script with socket and pty modules to debug a remote service or perform remote troubleshooting.
Filter/Exclusion: Exclude processes initiated by admin users (e.g., root, admin) during known maintenance windows or when running scripts in /root/scripts/remote_debug/.
Example Filter: user.name == "root" and process.cwd contains "/root/scripts/remote_debug"
Scenario: Integration with Legacy Systems
Description: A Python script is used to interface with a legacy system via a socket connection, using the pty module to maintain terminal compatibility.
Filter/Exclusion: Exclude processes that connect to known legacy system endpoints (e.g., 10.0.0.5:8080) or use specific libraries like paramiko or pySerial.
Example Filter: destination_ip == "10.0.0.5" or process.name contains "paramiko"
Scenario: CI/CD Pipeline for Python Application Deployment
Description: A CI/CD pipeline runs a Python script that uses the socket module to communicate with a deployment server during a deployment process.
Filter/Exclusion: Exclude processes running from known CI/CD directories (e.g., /var/lib/jenkins/workspace/) or