T1059.006 Python Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "import socket", "import subprocess", "import os",
  "import urllib", "import requests", "import http.client",
  "socket.socket", "subprocess.call", "subprocess.Popen",
  "os.system(", "os.popen(", "exec(", "eval(",
  "compile(", "__import__",
  "base64.b64decode", "codecs.decode",
  "pty.spawn", "/bin/sh", "/bin/bash",
  "reverse_tcp", "reverse_shell",
  "pyinstaller", "py2exe", "nuitka"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python.exe", "python3.exe", "python", "python3", "pythonw.exe")
| where ProcessCommandLine has_any (SuspiciousPatterns)
| extend ReverseShell = ProcessCommandLine has_any ("socket.socket", "pty.spawn", "/bin/sh", "reverse_shell")
| extend DownloadExec = ProcessCommandLine has_any ("urllib", "requests", "http.client")
| extend SubprocessExec = ProcessCommandLine has_any ("subprocess.call", "subprocess.Popen", "os.system", "os.popen")
| extend CodeExec = ProcessCommandLine has_any ("exec(", "eval(", "compile(", "__import__")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ReverseShell, DownloadExec, SubprocessExec, CodeExec
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Developers and data scientists running Python scripts that import networking or subprocess libraries
DevOps automation tools (Ansible, SaltStack) that execute Python for system configuration
CI/CD pipelines running Python test suites with subprocess calls
Monitoring and observability agents written in Python (Datadog, Checkmk)

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\pythonw.exe"))
OR
(index=linux sourcetype="linux:auditd" type=EXECVE (a0="*python*" OR a0="*python3*"))
| eval cmdline=coalesce(CommandLine, a1." ".a2." ".a3)
| eval cmdline_lower=lower(cmdline)
| eval ReverseShell=if(match(cmdline_lower, "(socket\.socket|pty\.spawn|/bin/sh|reverse_shell)"), 1, 0)
| eval DownloadExec=if(match(cmdline_lower, "(urllib|requests\.get|http\.client)"), 1, 0)
| eval SubprocessExec=if(match(cmdline_lower, "(subprocess\.(call|popen|run)|os\.system|os\.popen)"), 1, 0)
| eval CodeExec=if(match(cmdline_lower, "(exec\(|eval\(|compile\(|__import__)"), 1, 0)
| eval SuspicionScore=ReverseShell*3 + DownloadExec*2 + SubprocessExec + CodeExec*2
| where SuspicionScore > 0
| table _time, host, User, Image, cmdline, ParentImage, ReverseShell, DownloadExec, SubprocessExec, CodeExec, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Linux auditd

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux:auditd

False Positives

Developers and data scientists running Python scripts with networking or subprocess libraries
DevOps automation tools (Ansible, SaltStack) executing Python for system configuration
CI/CD pipelines running Python test suites with subprocess calls
Monitoring agents written in Python

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name in~ ("python", "python3", "python.exe", "python3.exe", "pythonw.exe")
  and (
    process.args : ("*import socket*", "*import subprocess*", "*import os*", "*import urllib*", "*import requests*", "*import http.client*")
    or process.args : ("*socket.socket*", "*subprocess.call*", "*subprocess.Popen*", "*os.system(*", "*os.popen(*")
    or process.args : ("*exec(*", "*eval(*", "*compile(*", "*__import__*")
    or process.args : ("*base64.b64decode*", "*codecs.decode*", "*pty.spawn*", "*/bin/sh*", "*/bin/bash*")
    or process.args : ("*reverse_tcp*", "*reverse_shell*", "*pyinstaller*", "*py2exe*", "*nuitka*")
    or process.args : ("*urllib*", "*requests*", "*http.client*")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Auditbeat (auditd module) Winlogbeat (Sysmon Event ID 1)

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-* auditbeat-*

False Positives

Legitimate developer tooling (Jupyter notebooks, Flask/Django dev servers, Ansible playbooks) that import socket or subprocess as part of normal operation
System automation scripts run by ops teams using requests or urllib for health checks and API polling
Security tooling such as SIEM agents, vulnerability scanners, or EDR components written in Python that use subprocess or socket internally

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "hostname",
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process
FROM events
WHERE LOGSOURCETYPEID IN (12, 352, 433)
  AND (
    LOWER("Process Name") LIKE '%python%'
    OR LOWER("Process Name") LIKE '%python3%'
    OR LOWER("Process Name") LIKE '%pythonw%'
  )
  AND (
    LOWER("Command") LIKE '%socket.socket%'
    OR LOWER("Command") LIKE '%pty.spawn%'
    OR LOWER("Command") LIKE '%subprocess.popen%'
    OR LOWER("Command") LIKE '%subprocess.call%'
    OR LOWER("Command") LIKE '%os.system%'
    OR LOWER("Command") LIKE '%os.popen%'
    OR LOWER("Command") LIKE '%exec(%'
    OR LOWER("Command") LIKE '%eval(%'
    OR LOWER("Command") LIKE '%compile(%'
    OR LOWER("Command") LIKE '%__import__%'
    OR LOWER("Command") LIKE '%base64.b64decode%'
    OR LOWER("Command") LIKE '%codecs.decode%'
    OR LOWER("Command") LIKE '%reverse_shell%'
    OR LOWER("Command") LIKE '%/bin/sh%'
    OR LOWER("Command") LIKE '%urllib%'
    OR LOWER("Command") LIKE '%requests%'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Sysmon Event ID 1 (Process Create) Linux auditd EXECVE records Microsoft Windows Security Event Log (Event ID 4688 with command line auditing enabled)

Required Tables

events

False Positives

Python-based monitoring agents (Datadog, New Relic, etc.) that use subprocess or socket for metrics collection
DevOps tooling such as Fabric, Invoke, or Ansible runner scripts executed from CI/CD pipelines
Data science workloads running Jupyter notebooks or ML training jobs that legitimately use urllib and requests for dataset downloads

Sumo Logic CSE

sql

(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*linux*audit*" OR _sourceCategory="*endpoint*")
| where EventID = 1 OR type = "EXECVE"
| parse field=CommandLine "*" as cmdline nodrop
| parse field=Image "*" as image nodrop
| where (
    image matches "*python*" OR
    image matches "*python3*" OR
    image matches "*pythonw*"
  )
| toLowerCase(cmdline) as cmdline_lower
| if(cmdline_lower matches "*(socket.socket|pty.spawn|/bin/sh|reverse_shell|reverse_tcp)*", 1, 0) as reverse_shell
| if(cmdline_lower matches "*(urllib|requests.get|http.client)*", 1, 0) as download_exec
| if(cmdline_lower matches "*(subprocess.call|subprocess.popen|subprocess.run|os.system|os.popen)*", 1, 0) as subprocess_exec
| if(cmdline_lower matches "*(exec(|eval(|compile(|__import__)*", 1, 0) as code_exec
| if(cmdline_lower matches "*(base64.b64decode|codecs.decode)*", 1, 0) as obfuscation
| (reverse_shell * 3 + download_exec * 2 + subprocess_exec + code_exec * 2 + obfuscation * 2) as suspicion_score
| where suspicion_score > 0
| fields _messagetime, _sourceHost, user, image, cmdline, ParentImage, reverse_shell, download_exec, subprocess_exec, code_exec, obfuscation, suspicion_score
| sort by suspicion_score desc, _messagetime desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (Event ID 1) Linux auditd EXECVE events via Sumo Logic Installed Collector Sumo Logic Cloud SIEM (CSE) normalized process events

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*linux*audit* _sourceCategory=*endpoint*

False Positives

Python-based infrastructure automation scripts (Boto3 AWS SDK usage, Azure SDK) making legitimate API calls via urllib or requests
Security scanning tools written in Python (Impacket utilities run by authorized pentesters, Nmap scripting via Python wrappers)
Software build pipelines invoking Python packaging tools (PyInstaller, py2exe, Nuitka) for legitimate application compilation

Google Chronicle / SecOps

yaral

rule t1059_006_python_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious Python interpreter execution patterns associated with MITRE ATT&CK T1059.006 including reverse shells, download-and-execute, subprocess abuse, and dynamic code execution."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.006"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-17"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(python|python3|python3\.exe|python\.exe|pythonw\.exe)$/
    (
      $e.target.process.command_line = /(?i)(socket\.socket|pty\.spawn|\/bin\/sh|\/bin\/bash|reverse_shell|reverse_tcp)/ or
      $e.target.process.command_line = /(?i)(urllib|requests\.get|requests\.post|http\.client)/ or
      $e.target.process.command_line = /(?i)(subprocess\.(call|popen|run)|os\.system|os\.popen)/ or
      $e.target.process.command_line = /(?i)(exec\(|eval\(|compile\(|__import__)/ or
      $e.target.process.command_line = /(?i)(base64\.b64decode|codecs\.decode)/ or
      $e.target.process.command_line = /(?i)(pyinstaller|py2exe|nuitka)/
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM PROCESS_LAUNCH events Endpoint telemetry forwarded to Chronicle via forwarders (Windows Sysmon, CrowdStrike, Carbon Black) Linux auditd process execution events normalized to UDM

Required Tables

UDM events (metadata.event_type = PROCESS_LAUNCH)

False Positives

Legitimate DevOps automation using Ansible, SaltStack, or Fabric that execute subprocess calls or network requests as part of infrastructure management
Data engineering pipelines using Python to download and process datasets using urllib or requests (ETL jobs, ML training workflows)
Application packaging workflows in CI/CD environments using PyInstaller or Nuitka to compile Python apps into distributable binaries

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(\\python\.exe$|\\python3\.exe$|\\pythonw\.exe$|\/python$|\/python3$)/
| CommandLine = /(?i)(socket\.socket|pty\.spawn|\/bin\/sh|\/bin\/bash|reverse_shell|reverse_tcp|urllib|requests\.get|requests\.post|http\.client|subprocess\.(call|popen|run)|os\.system|os\.popen|exec\(|eval\(|compile\(|__import__|base64\.b64decode|codecs\.decode|pyinstaller|py2exe|nuitka)/
| ReverseShell := if(CommandLine = /(?i)(socket\.socket|pty\.spawn|\/bin\/sh|reverse_shell|reverse_tcp)/, "true", "false")
| DownloadExec := if(CommandLine = /(?i)(urllib|requests\.(get|post)|http\.client)/, "true", "false")
| SubprocessExec := if(CommandLine = /(?i)(subprocess\.(call|popen|run)|os\.system|os\.popen)/, "true", "false")
| CodeExec := if(CommandLine = /(?i)(exec\(|eval\(|compile\(|__import__)/, "true", "false")
| Obfuscation := if(CommandLine = /(?i)(base64\.b64decode|codecs\.decode)/, "true", "false")
| SuspicionScore := case(ReverseShell = "true", 3, 0) + case(DownloadExec = "true", 2, 0) + case(SubprocessExec = "true", 1, 0) + case(CodeExec = "true", 2, 0) + case(Obfuscation = "true", 2, 0)
| SuspicionScore > 0
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ReverseShell, DownloadExec, SubprocessExec, CodeExec, Obfuscation, SuspicionScore])
| sort(SuspicionScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) Falcon sensor telemetry for Windows (python.exe, pythonw.exe) and Linux (python, python3)

Required Tables

ProcessRollup2

False Positives

Falcon-monitored developer workstations running Python-based tooling such as pytest, pip install hooks, or tox environments that invoke subprocess or exec internally
Python-based IT automation agents (Puppet, Chef, SaltStack minions) that use os.system or subprocess for configuration management tasks
Legitimate security research or red team tooling running in authorized test environments where PyInstaller or Nuitka is used to compile and distribute Python payloads under controlled conditions

Python

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections