hunting/macos/queries/execution_python_script_drop_and_execute.toml

[hunt]
author = "Elastic"
name = "Python Script Drop and Execute"
uuid = "76f10746-9527-4c99-8ed8-491085ecdcfd"
description = """
Detects when a Python script is written to disk within a user's home directory and then immediately executed by the same process lineage. This pattern is commonly observed in initial access payload delivery or script-based malware staging.
"""
integration = ["endpoint"]
language = ["EQL"]
license = "Elastic License v2"
mitre = ["T1059.006", "T1105"]
notes = [
  "This hunt is designed to catch malicious tooling written and executed rapidly by Python processes.",
  "This technique is often used by downloaders or droppers that write staging scripts and immediately run them.",
  "Consider pivoting on `process.entity_id` and `file.path` to view subsequent behavior."
]
query = [
'''
sequence with maxspan=15s
  [file where event.action == "modification" and process.name like~ "python*" and
   file.extension == "py" and file.path like "/Users/*"] by process.entity_id
  [process where event.type == "start" and event.action == "exec" and
   process.args_count == 2 and process.args like "/Users/*"] by process.parent.entity_id
'''
]
references = [
  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
  "https://x.com/safe/status/1897663514975649938",
  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
]
[New Hunt] New Hunting Queries for DPRK ByBit (#4644 ) 2025-04-23 16:41:23 -04:00			`[hunt]`
			`author = "Elastic"`
			`name = "Python Script Drop and Execute"`
			`uuid = "76f10746-9527-4c99-8ed8-491085ecdcfd"`
			`description = """`
			`Detects when a Python script is written to disk within a user's home directory and then immediately executed by the same process lineage. This pattern is commonly observed in initial access payload delivery or script-based malware staging.`
			`"""`
			`integration = ["endpoint"]`
			`language = ["EQL"]`
			`license = "Elastic License v2"`
			`mitre = ["T1059.006", "T1105"]`
			`notes = [`
			`"This hunt is designed to catch malicious tooling written and executed rapidly by Python processes.",`
			`"This technique is often used by downloaders or droppers that write staging scripts and immediately run them.",`
			"Consider pivoting on `process.entity_id` and `file.path` to view subsequent behavior."
			`]`
			`query = [`
			`'''`
			`sequence with maxspan=15s`
			`[file where event.action == "modification" and process.name like~ "python*" and`
			`file.extension == "py" and file.path like "/Users/*"] by process.entity_id`
			`[process where event.type == "start" and event.action == "exec" and`
			`process.args_count == 2 and process.args like "/Users/*"] by process.parent.entity_id`
			`'''`
			`]`
			`references = [`
			`"https://www.elastic.co/security-labs/dprk-code-of-conduct",`
			`"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",`
			`"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",`
			`"https://x.com/safe/status/1897663514975649938",`
			`"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"`
			`]`