Date: 02/24/2025
Severity: Medium
Summary
"Python Inline Command Execution" refers to executing Python code directly from the command line using the -c flag, allowing for the execution of Python scripts without creating a separate file. This feature can be used for quick scripts or one-liners. However, it can also pose security risks, as attackers may use it to run malicious code, such as launching reverse shells or executing arbitrary commands on a system.
Indicators of Compromise (IOC) List
Image | 'python.exe' 'python3.exe' 'python2.exe' |
OriginalFileName | ‘python.exe’ |
CommandLine | ' -c' '<pip-setuptools-caller>' 'exec(compile(' |
ParentImage | 'C:\Program Files\Python' '\python.exe' '\AppData\Local\Programs\Microsoft VS Code\Code.exe' |
ParentCommandLine | '-E -s -m ensurepip -U --default-pip' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (((resourcename in ("Windows Security") AND eventtype = "4688") AND (newprocessname IN ("python.exe","python3.exe","python2.exe") AND processname = "python.exe") AND commandline like "-c") AND (parentprocessname not like "C:\Program Files\Python" AND parentprocessname not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentprocessname not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile(")) |
Detection Query 2 | (((technologygroup = "EDR") AND (newprocessname IN ("python.exe","python3.exe","python2.exe") AND processname = "python.exe") AND commandline like "-c") AND (parentprocessname not like "C:\Program Files\Python" AND parentprocessname not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentprocessname not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile(")) |
Detection Query 3 | (((resourcename in ("Sysmon") AND eventtype = "1") AND (image IN ("python.exe","python3.exe","python2.exe") AND originalfilename = "python.exe") AND commandline like "-c ") AND (parentimage not like "C:\Program Files\Python" AND parentimage not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentimage not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile(")) |
Detection Query 4 | (((technologygroup = "EDR") AND (newprocessname IN ("python.exe","python3.exe","python2.exe") AND processname = "python.exe") AND commandline like "-c") AND (parentprocessname not like "C:\Program Files\Python" AND parentprocessname not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentprocessname not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile(")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml