Python Inline Command Execution

    Date: 02/24/2025

    Severity: Medium

    Summary

    "Python Inline Command Execution" refers to executing Python code directly from the command line using the -c flag, allowing for the execution of Python scripts without creating a separate file. This feature can be used for quick scripts or one-liners. However, it can also pose security risks, as attackers may use it to run malicious code, such as launching reverse shells or executing arbitrary commands on a system.

    Indicators of Compromise (IOC) List

    Image

    'python.exe' 

     'python3.exe'

     'python2.exe'

    OriginalFileName

    ‘python.exe’

    CommandLine

    ' -c'

    '<pip-setuptools-caller>'

    'exec(compile('

    ParentImage

    'C:\Program Files\Python'

    '\python.exe'

    '\AppData\Local\Programs\Microsoft VS Code\Code.exe'

    ParentCommandLine

    '-E -s -m ensurepip -U --default-pip'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((resourcename in ("Windows Security") AND eventtype = "4688") AND (newprocessname IN ("python.exe","python3.exe","python2.exe") AND processname = "python.exe") AND commandline like "-c") AND (parentprocessname not like "C:\Program Files\Python" AND parentprocessname not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentprocessname not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile("))

    Detection Query 2

    (((technologygroup = "EDR") AND (newprocessname IN ("python.exe","python3.exe","python2.exe") AND processname = "python.exe") AND commandline like "-c") AND (parentprocessname not like "C:\Program Files\Python" AND parentprocessname not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentprocessname not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile("))

    Detection Query 3

    (((resourcename in ("Sysmon") AND eventtype = "1") AND (image IN ("python.exe","python3.exe","python2.exe") AND originalfilename = "python.exe") AND commandline like "-c ") AND (parentimage not like "C:\Program Files\Python" AND parentimage not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentimage not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile("))

    Detection Query 4

    (((technologygroup = "EDR") AND (newprocessname IN ("python.exe","python3.exe","python2.exe") AND processname = "python.exe") AND commandline like "-c") AND (parentprocessname not like "C:\Program Files\Python" AND parentprocessname not like "\python.exe" AND parentcommandline not like "-E -s -m ensurepip -U --default-pip") AND (parentprocessname not like "\AppData\Local\Programs\Microsoft VS Code\Code.exe" AND commandline not like "<pip-setuptools-caller>" AND commandline not like "exec(compile("))

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml


    Tags

    SigmaPythonExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags