Command and Scripting Interpreter: Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

ID: T1059.006
Sub-technique of:  T1059
Tactic: Execution
Platforms: Linux, Windows, macOS
System Requirements: Python is installed.
Permissions Required: Administrator, SYSTEM, root
Version: 1.0
Created: 09 March 2020
Last Modified: 26 July 2021

Procedure Examples

ID Name Description
G0016 APT29

APT29 has developed malware variants written in Python.[1]

G0067 APT37

APT37 has used Python scripts to execute payloads.[2]

G0087 APT39

APT39 has used a command line utility and a network scanner written in python.[3][4]

S0234 Bandook

Bandook can support commands to execute Python-based payloads.[5]

G0060 BRONZE BUTLER

BRONZE BUTLER has made use of Python-based remote access tools.[6]

S0482 Bundlore

Bundlore has used Python scripts to execute payloads.[7]

S0631 Chaes

Chaes has used Python scripts for execution and the installation of additional files.[8]

S0154 Cobalt Strike

Cobalt Strike can use Python to perform execution.[9][10][11][12]

S0369 CoinTicker

CoinTicker executes a Python script to download its second stage.[13]

S0492 CookieMiner

CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.[14]

S0695 Donut

Donut can generate shellcode outputs that execute via Python.[15]

G0035 Dragonfly

Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.[16]

S0547 DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.[17]

S0377 Ebury

Ebury has used Python to implement its DGA.[18]

S0581 IronNetInjector

IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.[19]

S0387 KeyBoy

KeyBoy uses Python scripts for installing files and performing execution.[20]

S0276 Keydnap

Keydnap uses Python for scripting to execute additional commands.[21]

G0094 Kimsuky

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.[22][23]

S0409 Machete

Machete is written in Python and is used in conjunction with additional Python scripts.[24][25][26]

G0095 Machete

Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python.[27][24][26]

S0459 MechaFlounder

MechaFlounder uses a python-based payload.[28]

G0069 MuddyWater

MuddyWater has used developed tools in Python including Out1.[29]

G0116 Operation Wocao

Operation Wocao's backdoors have been written in Python and compiled with py2exe.[30]

S0428 PoetRAT

PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.[31]

S0196 PUNCHBUGGY

PUNCHBUGGY has used python scripts.[32]

S0192 Pupy

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts ("scriptlets") to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.[33]

S0583 Pysa

Pysa has used Python scripts to deploy ransomware.[34]

S0332 Remcos

Remcos uses Python scripts.[35]

G0106 Rocke

Rocke has used Python-based malware to install and spread their coinminer.[36]

S0692 SILENTTRINITY

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.[37][38]

S0374 SpeakUp

SpeakUp uses Python scripts.[39]

G0131 Tonto Team

Tonto Team has used Python-based tools for execution.[40]

S0609 TRITON

TRITON was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag.[41]

S0647 Turian

Turian has the ability to use Python to spawn a Unix shell.[42]

G0010 Turla

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.[19]

G0128 ZIRCONIUM

ZIRCONIUM has used Python-based implants to interact with compromised hosts.[43][44]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically quarantine suspicious files.

M1047 Audit

Inventory systems for unauthorized Python installations.

M1038 Execution Prevention

Denylist Python where not required.

M1033 Limit Software Installation

Prevent users from installing Python where not required.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

References

  1. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  2. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  3. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  4. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  5. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  6. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  7. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  8. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  9. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  10. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  11. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  12. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  13. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  14. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  15. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  16. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  17. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  18. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  19. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  20. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  21. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  22. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  1. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  2. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  3. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  4. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  5. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  6. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  7. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  8. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  9. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  10. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  11. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  12. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  13. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  14. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  15. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
  16. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  17. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  18. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  19. Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.
  20. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  21. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  22. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.