Python processes utilizing the PTY module to spawn a pseudo-terminal may indicate an adversary attempting to establish a reverse shell for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert communication channels and mitigate advanced persistent threat activities.
Detection Rule
title: Python Spawning Pretty TTY Via PTY Module
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
- id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
type: similar
status: test
description: |
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
modified: 2024-11-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli_import:
CommandLine|contains:
- 'import pty'
- 'from pty '
selection_cli_spawn:
CommandLine|contains: 'spawn'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where ((TargetProcessName endswith "/python" or TargetProcessName endswith "/python2" or TargetProcessName endswith "/python3") or (TargetProcessName contains "/python2." or TargetProcessName contains "/python3.")) and (TargetProcessCommandLine contains "import pty" or TargetProcessCommandLine contains "from pty ") and TargetProcessCommandLine contains "spawn"Scenario: System Administrator Using pty for Interactive Shell in Scripted Maintenance Task
Description: An admin is using Python to spawn an interactive shell via the pty module to perform a scripted maintenance task that requires user input.
Filter/Exclusion: Exclude processes where the Python script is located in /usr/bin or /bin and the command line includes --interactive or --tty.
Scenario: Scheduled Job Using pty to Run Interactive CLI Tools
Description: A scheduled job runs a Python script that uses the pty module to execute an interactive CLI tool like mysql or ssh for database maintenance.
Filter/Exclusion: Exclude processes where the parent process is a cron job or systemd service, and the command line includes known CLI tools like mysql, ssh, or telnet.
Scenario: Python-Based Automation Tool Using pty for Terminal Emulation
Description: A legitimate automation tool (e.g., pexpect, paramiko, or fabric) uses the pty module to emulate a terminal session for remote execution.
Filter/Exclusion: Exclude processes where the Python script is part of a known automation framework (e.g., pexpect, fabric) and the command line includes --pty or --interactive.
Scenario: DevOps Pipeline Using pty for Debugging or Interactive Testing
Description: A DevOps pipeline runs a Python script that spawns a pty to debug or interactively test an application during deployment.
Filter/Exclusion: Exclude processes where the parent process is a CI/CD tool (e.g., Jenkins, GitLab CI) and the script is located in a known devops directory (e.g., /opt/devops/scripts).
**Scenario: Python Script for Terminal Multiplexer (e