Detect Python in Elastic Security
Adversaries may abuse Python commands and scripts for execution. Python is a cross-platform scripting language that can be executed interactively from the command-line (via python.exe/python3), via scripts (.py), or compiled into binary executables. Python's built-in libraries for file operations, networking (socket, urllib, requests), and system interaction make it a powerful tool for adversaries. Threat actors including APT31, APT37, MuddyWater, and Contagious Interview have used Python-based implants, reverse shells, and backdoors across Windows, Linux, macOS, and ESXi environments.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.006 Python
- Canonical reference
- https://attack.mitre.org/techniques/T1059/006/
Elastic Detection Query
process where event.type == "start"
and process.name in~ ("python", "python3", "python.exe", "python3.exe", "pythonw.exe")
and (
process.args : ("*import socket*", "*import subprocess*", "*import os*", "*import urllib*", "*import requests*", "*import http.client*")
or process.args : ("*socket.socket*", "*subprocess.call*", "*subprocess.Popen*", "*os.system(*", "*os.popen(*")
or process.args : ("*exec(*", "*eval(*", "*compile(*", "*__import__*")
or process.args : ("*base64.b64decode*", "*codecs.decode*", "*pty.spawn*", "*/bin/sh*", "*/bin/bash*")
or process.args : ("*reverse_tcp*", "*reverse_shell*", "*pyinstaller*", "*py2exe*", "*nuitka*")
or process.args : ("*urllib*", "*requests*", "*http.client*")
)Detects suspicious Python interpreter invocations indicative of MITRE ATT&CK T1059.006. Flags command-line arguments associated with reverse shells (socket.socket, pty.spawn), download-and-execute patterns (urllib, requests), subprocess abuse (os.system, subprocess.Popen), and dynamic code execution (exec, eval, compile, __import__). Covers Windows and Linux hosts via ECS process events.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developer tooling (Jupyter notebooks, Flask/Django dev servers, Ansible playbooks) that import socket or subprocess as part of normal operation
- System automation scripts run by ops teams using requests or urllib for health checks and API polling
- Security tooling such as SIEM agents, vulnerability scanners, or EDR components written in Python that use subprocess or socket internally
Other platforms for T1059.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Python Reverse Shell One-Liner
Expected signal: Auditd: EXECVE record for python3 with -c flag and socket.socket in arguments. Network connection attempt to 127.0.0.1:4444. MDE DeviceProcessEvents and DeviceNetworkEvents on managed endpoints.
- Test 2Python Download and Execute
Expected signal: Sysmon Event ID 1: Process Create for python.exe with urllib in CommandLine. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080 (will fail without listener). The exec() call triggers even though download fails.
- Test 3Python Subprocess Command Execution
Expected signal: Sysmon Event ID 1: Process Create for python.exe with subprocess.Popen in CommandLine. Child process event for cmd.exe spawned by python.exe.
References (5)
- https://attack.mitre.org/techniques/T1059/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md
- https://www.revshells.com/
- https://github.com/fortra/impacket
- https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online
Unlock Pro Content
Get the full detection package for T1059.006 including response playbook, investigation guide, and atomic red team tests.