Terrance DeJesus
34 lines
1.6 KiB
TOML
34 lines
1.6 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
name = "Potential Python Stealer Activity"
|
|
uuid = "107fe9a2-6743-4136-a055-fa070fd38f2f"
|
|
description = """
|
|
Detects the execution of a Python script followed by at least three consecutive open actions on files within a 30-second window. This behavior may indicate an attempt to access or exfiltrate sensitive data such as browser files, credentials, or configuration files.
|
|
"""
|
|
integration = ["endpoint"]
|
|
language = ["EQL"]
|
|
license = "Elastic License v2"
|
|
mitre = ["T1059.006", "T1552.001"]
|
|
notes = [
|
|
"This hunt identifies Python-based access to multiple files shortly after script execution, a pattern common to stealers.",
|
|
"Adjustments may be needed to focus on high-value file paths (e.g., browser data, tokens, configuration files).",
|
|
"Further pivoting on `file.path`, `process.entity_id`, and `process.args` is recommended for triage."
|
|
]
|
|
query = [
|
|
'''
|
|
sequence by process.entity_id with maxspan=30s
|
|
[process where event.type == "start" and event.action == "exec" and
|
|
process.name like~ "python*" and process.args_count == 2 and
|
|
process.args like ("/Users/*", "/tmp/*", "/private/tmp/*")]
|
|
[file where event.action == "open"]
|
|
[file where event.action == "open"]
|
|
[file where event.action == "open"]
|
|
'''
|
|
]
|
|
references = [
|
|
"https://www.elastic.co/security-labs/dprk-code-of-conduct",
|
|
"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
|
|
"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
|
|
"https://x.com/safe/status/1897663514975649938",
|
|
"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
|
|
] |