Command and Scripting Interpreter: Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

ID: T1059.006
Sub-technique of:  T1059
Tactic: Execution
Platforms: Linux, Windows, macOS
System Requirements: Python is installed.
Permissions Required: Administrator, SYSTEM, root
Data Sources: API monitoring, Process command-line parameters, Process monitoring, System calls
Version: 1.0
Created: 09 March 2020
Last Modified: 23 June 2020

Procedure Examples

Name Description
APT29

APT29 has developed malware variants written in Python.[1]

APT39

APT39 has used a command line utility and a network scanner written in python.[2]

BRONZE BUTLER

BRONZE BUTLER has made use of Python-based remote access tools.[3]

Bundlore

Bundlore has used Python scripts to execute payloads.[4]

Cobalt Strike

Cobalt Strike can use Python to perform execution.[5][6]

CoinTicker

CoinTicker executes a Python script to download its second stage.[7]

CookieMiner

CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.[8]

Dragonfly 2.0

Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.[9][10]

KeyBoy

KeyBoy uses Python scripts for installing files and performing execution.[11]

Keydnap

Keydnap uses Python for scripting to execute additional commands.[12]

Machete

Machete uses Python scripts.[13][14]

Machete

Machete used multiple compiled Python scripts on the victim’s system.[15]

MechaFlounder

MechaFlounder uses a python-based payload.[16]

PoetRAT

PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.[17]

PUNCHBUGGY

PUNCHBUGGY has used python scripts.[18]

Pupy

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts ("scriptlets") to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.[19]

Remcos

Remcos uses Python scripts.[20]

Rocke

Rocke has used Python-based malware to install and spread their coinminer.[21]

SpeakUp

SpeakUp uses Python scripts.[22]

Mitigations

Mitigation Description
Antivirus/Antimalware

Anti-virus can be used to automatically quarantine suspicious files.

Audit

Inventory systems for unauthorized Python installations.

Execution Prevention

Denylist Python where not required.

Limit Software Installation

Prevent users from installing Python where not required.

Detection

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

References