Terrance DeJesus
34 lines
1.6 KiB
TOML
34 lines
1.6 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
name = "Self-Deleting Python Script"
|
|
uuid = "6461f45e-b03f-4756-94d2-34a210caeb78"
|
|
description = """
|
|
Detects when a Python script is executed and then deletes itself within a short time window. This behavior is often observed in malware used by DPRK threat actors to remove traces post-execution and avoid detection.
|
|
"""
|
|
integration = ["endpoint"]
|
|
language = ["EQL"]
|
|
license = "Elastic License v2"
|
|
mitre = ["T1059.006", "T1070.004"]
|
|
notes = [
|
|
"Self-deletion of Python scripts is commonly used to evade detection and forensic recovery.",
|
|
"This hunt is effective at uncovering ephemeral post-exploitation scripts or loaders.",
|
|
"You may pivot on `file.path`, `process.args`, and `process.executable` to understand intent and targets."
|
|
]
|
|
query = [
|
|
'''
|
|
sequence by process.entity_id with maxspan=10s
|
|
[process where event.type == "start" and event.action == "exec" and
|
|
process.name like~ "python*" and process.args_count == 2 and
|
|
process.args like ("/Users/Shared/*.py", "/tmp/*.py", "/private/tmp/*.py", "/Users/*/Public/*.py")]
|
|
[file where event.action == "deletion" and
|
|
file.extension in ("py", "pyc") and
|
|
file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Users/*/Public/*")]
|
|
'''
|
|
]
|
|
references = [
|
|
"https://www.elastic.co/security-labs/dprk-code-of-conduct",
|
|
"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
|
|
"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
|
|
"https://x.com/safe/status/1897663514975649938",
|
|
"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
|
|
] |