Adversaries may use Python to compile malicious executables from source code, leveraging its cross-platform capabilities for persistence and execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential threat actors exploiting Python for code compilation and execution in their environment.
YARA Rule
rule Stuxnet_MadeInPython
{
meta:
description = "Python has been used frequently by threat actors for compiling executable file with source code. I found python Stuxnet source code that can be executed with required dependencies. This rule is created in hopes to catch potental breakout of future Stuxnet."
author = "Jin Kim"
reference = "https://github.com/kenmueller/stuxnet"
date = "2020-12-23"
strings:
// main function include this call stack as a second function call.
$str1 = "old_infected_attributes = node_infected_attributes(graph)"
// def node_total_attributes(graph: nx.Graph) -> dict:
// filter_for_node_type = lambda node_type: list(filter(lambda node: get_node_type(graph, node) == node_type, graph.node))
// return {
// NodeType.COMPUTER: len(filter_for_node_type(NodeType.COMPUTER)),
// NodeType.DISCONNECTED_COMPUTER: len(filter_for_node_type(NodeType.DISCONNECTED_COMPUTER)),
// NodeType.USB: len(filter_for_node_type(NodeType.USB)),
// NodeType.PLC: len(filter_for_node_type(NodeType.PLC)),
// 'total': len(graph.node)
$str2 = "NodeType.DISCONNECTED_COMPUTER"
// found in create-graph.py
// This line adds router nodes and computer nodes fro all the wireless networks.
// for router_node in range(NUMBER_OF_LOCAL_WIRED_NETWORKS, NUMBER_OF_LOCAL_NETWORKS):
// add_computer_nodes(graph, EdgeType.LOCAL_WIRELESS, router_node)
$str3 = "add_computer_nodes(graph, EdgeType.LOCAL_WIRELESS, router_node)"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled Python-based system cleanup task
Description: A legitimate scheduled task runs a Python script to clean up temporary files or logs.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.command_line:"clean" OR "cleanup"
Scenario: Python-based CI/CD pipeline job
Description: A continuous integration/continuous deployment (CI/CD) pipeline uses Python scripts to build or test code.
Filter/Exclusion: process.parent_process_name:"Jenkins" OR "GitLab" OR "GitHub Actions" or process.command_line:"build" OR "test"
Scenario: Python script for generating reports
Description: A Python script is used to generate automated reports from database queries.
Filter/Exclusion: process.command_line:"report" OR "generate" OR "export" or process.parent_process_name:"MySQL" OR "PostgreSQL"
Scenario: Python-based admin tool for system monitoring
Description: An admin uses a Python script to monitor system performance or collect metrics.
Filter/Exclusion: process.parent_process_name:"Windows Task Scheduler" OR "System" or process.command_line:"monitor" OR "metrics"
Scenario: Python script for compiling documentation
Description: A Python script is used to compile documentation using tools like Sphinx.
Filter/Exclusion: process.command_line:"sphinx-build" OR "doc" OR "documentation" or process.parent_process_name:"Documentation Tool"