Terrance DeJesus
32 lines
1.5 KiB
TOML
32 lines
1.5 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
name = "Python Script Drop and Execute"
|
|
uuid = "76f10746-9527-4c99-8ed8-491085ecdcfd"
|
|
description = """
|
|
Detects when a Python script is written to disk within a user's home directory and then immediately executed by the same process lineage. This pattern is commonly observed in initial access payload delivery or script-based malware staging.
|
|
"""
|
|
integration = ["endpoint"]
|
|
language = ["EQL"]
|
|
license = "Elastic License v2"
|
|
mitre = ["T1059.006", "T1105"]
|
|
notes = [
|
|
"This hunt is designed to catch malicious tooling written and executed rapidly by Python processes.",
|
|
"This technique is often used by downloaders or droppers that write staging scripts and immediately run them.",
|
|
"Consider pivoting on `process.entity_id` and `file.path` to view subsequent behavior."
|
|
]
|
|
query = [
|
|
'''
|
|
sequence with maxspan=15s
|
|
[file where event.action == "modification" and process.name like~ "python*" and
|
|
file.extension == "py" and file.path like "/Users/*"] by process.entity_id
|
|
[process where event.type == "start" and event.action == "exec" and
|
|
process.args_count == 2 and process.args like "/Users/*"] by process.parent.entity_id
|
|
'''
|
|
]
|
|
references = [
|
|
"https://www.elastic.co/security-labs/dprk-code-of-conduct",
|
|
"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
|
|
"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
|
|
"https://x.com/safe/status/1897663514975649938",
|
|
"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
|
|
] |