rules/cross-platform/execution_suspicious_python_command_execution.toml

[metadata]
creation_date = "2026/03/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/26"

[rule]
author = ["Elastic"]
description = """
Detects the execution of suspicious shell commands via the Python interpreter. Attackers 
may use Python to execute shell commands to gain access to the system or to perform other
malicious activities, such as credential access, data exfiltration, or lateral movement.
"""
from = "now-9m"
language = "esql"
license = "Elastic License v2"
name = "Suspicious Python Shell Command Execution"
risk_score = 47
rule_id = "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Linux",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Data Source: Elastic Defend",
]
type = "esql"
query = '''
FROM logs-endpoint.events.process-* METADATA _id, _version, _index

| WHERE host.os.type in ("linux", "macos") and event.type == "start" and TO_LOWER(process.parent.name) like "python*" and
  process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
  KQL("""event.action:"exec" and process.args:("-c" or "-cl" or "-lc")""")

// truncate timestamp to 1-minute window
| EVAL Esql.time_window_date_trunc = DATE_TRUNC(1 minutes, @timestamp)

| EVAL Esql.process_command_line_patterns = CASE(
  process.command_line like "*grep*", "grep",
  process.command_line like "*find*", "find",
  process.command_line like "*curl*", "curl",
  process.command_line like "*env *", "environment_enumeration",
  process.command_line like "*wget*", "wget",
  process.command_line like "*whoami*" or process.command_line like "*uname*" or process.command_line like "*hostname*", "discovery", "other"
)

| KEEP
    @timestamp,
    _id,
    _index,
    _version,
    Esql.process_command_line_patterns,
    Esql.time_window_date_trunc,
    host.os.type,
    event.type,
    event.action,
    process.parent.name,
    process.working_directory,
    process.parent.working_directory,
    process.name,
    process.executable,
    process.command_line,
    process.parent.executable,
    process.parent.entity_id,
    agent.id,
    host.name,
    event.dataset,
    data_stream.namespace

| STATS
  Esql.process_command_line_count_distinct = COUNT_DISTINCT(process.command_line),
  Esql.patterns_count_distinct = COUNT_DISTINCT(Esql.process_command_line_patterns),
  Esql.process_command_line_values = VALUES(process.command_line),
  Esql.host_name_values = values(host.name),
  Esql.agent_id_values = values(agent.id),
  Esql.event_dataset_values = values(event.dataset),
  Esql.data_stream_namespace_values = values(data_stream.namespace)
  BY process.parent.entity_id, agent.id, host.name, Esql.time_window_date_trunc

| SORT Esql.process_command_line_count_distinct DESC
| WHERE Esql.process_command_line_count_distinct >= 5 AND Esql.patterns_count_distinct >= 4
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rules] LiteLLM & Trivy TeamPCP Compromise (#5885 ) 2026-03-26 17:16:30 +01:00			`[metadata]`
			`creation_date = "2026/03/26"`
			`integration = ["endpoint"]`
			`maturity = "production"`
			`updated_date = "2026/03/26"`

			`[rule]`
			`author = ["Elastic"]`
			`description = """`
			`Detects the execution of suspicious shell commands via the Python interpreter. Attackers`
			`may use Python to execute shell commands to gain access to the system or to perform other`
			`malicious activities, such as credential access, data exfiltration, or lateral movement.`
			`"""`
			`from = "now-9m"`
			`language = "esql"`
			`license = "Elastic License v2"`
			`name = "Suspicious Python Shell Command Execution"`
			`risk_score = 47`
			`rule_id = "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41"`
			`severity = "medium"`
			`tags = [`
			`"Domain: Endpoint",`
			`"OS: Linux",`
			`"OS: macOS",`
			`"Use Case: Threat Detection",`
			`"Tactic: Execution",`
			`"Data Source: Elastic Defend",`
			`]`
			`type = "esql"`
			`query = '''`
			`FROM logs-endpoint.events.process-* METADATA _id, _version, _index`

			`\| WHERE host.os.type in ("linux", "macos") and event.type == "start" and TO_LOWER(process.parent.name) like "python*" and`
			`process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and`
			`KQL("""event.action:"exec" and process.args:("-c" or "-cl" or "-lc")""")`

			`// truncate timestamp to 1-minute window`
			`\| EVAL Esql.time_window_date_trunc = DATE_TRUNC(1 minutes, @timestamp)`

			`\| EVAL Esql.process_command_line_patterns = CASE(`
			`process.command_line like "grep", "grep",`
			`process.command_line like "find", "find",`
			`process.command_line like "curl", "curl",`
			`process.command_line like "env ", "environment_enumeration",`
			`process.command_line like "wget", "wget",`
			`process.command_line like "whoami" or process.command_line like "uname" or process.command_line like "hostname", "discovery", "other"`
			`)`

			`\| KEEP`
			`@timestamp,`
			`_id,`
			`_index,`
			`_version,`
			`Esql.process_command_line_patterns,`
			`Esql.time_window_date_trunc,`
			`host.os.type,`
			`event.type,`
			`event.action,`
			`process.parent.name,`
			`process.working_directory,`
			`process.parent.working_directory,`
			`process.name,`
			`process.executable,`
			`process.command_line,`
			`process.parent.executable,`
			`process.parent.entity_id,`
			`agent.id,`
			`host.name,`
			`event.dataset,`
			`data_stream.namespace`

			`\| STATS`
			`Esql.process_command_line_count_distinct = COUNT_DISTINCT(process.command_line),`
			`Esql.patterns_count_distinct = COUNT_DISTINCT(Esql.process_command_line_patterns),`
			`Esql.process_command_line_values = VALUES(process.command_line),`
			`Esql.host_name_values = values(host.name),`
			`Esql.agent_id_values = values(agent.id),`
			`Esql.event_dataset_values = values(event.dataset),`
			`Esql.data_stream_namespace_values = values(data_stream.namespace)`
			`BY process.parent.entity_id, agent.id, host.name, Esql.time_window_date_trunc`

			`\| SORT Esql.process_command_line_count_distinct DESC`
			`\| WHERE Esql.process_command_line_count_distinct >= 5 AND Esql.patterns_count_distinct >= 4`
			`'''`

			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`

			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`

			`[[rule.threat.technique.subtechnique]]`
			`id = "T1059.006"`
			`name = "Python"`
			`reference = "https://attack.mitre.org/techniques/T1059/006/"`

			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`