Nasreddine Bencherchali
2acebc90f2
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter fix: Outbound RDP Connections Over Non-Standard Tools - Update filters fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic remove: Suspicious Non-Browser Network Communication With Reddit API update: BITS Transfer Job Download From File Sharing Domains - Add additional domains update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports update: HH.EXE Initiated HTTP Network Connection - Update list of ports update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports update: Network Connection Initiated To Mega.nz - Update domains update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports update: Office Application Initiated Network Connection To Non-Local IP - update list of filters update: Potential Dead Drop Resolvers - Update domains and filters update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains update: Suspicious File Download From File Sharing Websites - Add additional domains update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains update: Suspicious Remote AppX Package Locations - Add additional domains update: Unusual File Download From File Sharing Websites - Add additional domains
42 lines
2.3 KiB
YAML
42 lines
2.3 KiB
YAML
title: Python Initiated Connection
|
|
id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
|
|
status: experimental
|
|
description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
|
|
- https://pypi.org/project/scapy/
|
|
author: frack113
|
|
date: 2021/12/10
|
|
modified: 2023/09/07
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1046
|
|
logsource:
|
|
category: network_connection
|
|
product: windows
|
|
definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
|
|
detection:
|
|
selection:
|
|
Initiated: 'true'
|
|
Image|contains: 'python'
|
|
filter_optional_conda:
|
|
# Related to anaconda updates. Command example: "conda update conda"
|
|
# This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
|
|
ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
|
|
CommandLine|contains|all:
|
|
- ':\ProgramData\Anaconda3\Scripts\conda-script.py'
|
|
- 'update'
|
|
filter_optional_conda_jupyter_notebook:
|
|
# Related to anaconda opening an instance of Jupyter Notebook
|
|
# This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
|
|
ParentImage: C:\ProgramData\Anaconda3\python.exe
|
|
CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
|
|
filter_main_local_communication:
|
|
# This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
|
|
DestinationIp: 127.0.0.1
|
|
SourceIp: 127.0.0.1
|
|
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
|
|
falsepositives:
|
|
- Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
|
|
level: medium
|