T1059.006: Python

Data from MITRE ATT&CK®:

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Limit Software Installation

Block users or groups from installing unapproved software.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Execute shell script via python's command mode arguement

linux

Execute Python via scripts

linux

Python pty module and spawn function used to spawn sh or bash

linux

Execute Python via Python executables

linux

Suspicious File Characteristics Due to Missing Fields

windows process creation

File Was Not Allowed To Run

windows