T1059.006 CrowdStrike LogScale · LogScale

Detect Python in CrowdStrike LogScale

Adversaries may abuse Python commands and scripts for execution. Python is a cross-platform scripting language that can be executed interactively from the command-line (via python.exe/python3), via scripts (.py), or compiled into binary executables. Python's built-in libraries for file operations, networking (socket, urllib, requests), and system interaction make it a powerful tool for adversaries. Threat actors including APT31, APT37, MuddyWater, and Contagious Interview have used Python-based implants, reverse shells, and backdoors across Windows, Linux, macOS, and ESXi environments.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.006 Python
Canonical reference
https://attack.mitre.org/techniques/T1059/006/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(\\python\.exe$|\\python3\.exe$|\\pythonw\.exe$|\/python$|\/python3$)/
| CommandLine = /(?i)(socket\.socket|pty\.spawn|\/bin\/sh|\/bin\/bash|reverse_shell|reverse_tcp|urllib|requests\.get|requests\.post|http\.client|subprocess\.(call|popen|run)|os\.system|os\.popen|exec\(|eval\(|compile\(|__import__|base64\.b64decode|codecs\.decode|pyinstaller|py2exe|nuitka)/
| ReverseShell := if(CommandLine = /(?i)(socket\.socket|pty\.spawn|\/bin\/sh|reverse_shell|reverse_tcp)/, "true", "false")
| DownloadExec := if(CommandLine = /(?i)(urllib|requests\.(get|post)|http\.client)/, "true", "false")
| SubprocessExec := if(CommandLine = /(?i)(subprocess\.(call|popen|run)|os\.system|os\.popen)/, "true", "false")
| CodeExec := if(CommandLine = /(?i)(exec\(|eval\(|compile\(|__import__)/, "true", "false")
| Obfuscation := if(CommandLine = /(?i)(base64\.b64decode|codecs\.decode)/, "true", "false")
| SuspicionScore := case(ReverseShell = "true", 3, 0) + case(DownloadExec = "true", 2, 0) + case(SubprocessExec = "true", 1, 0) + case(CodeExec = "true", 2, 0) + case(Obfuscation = "true", 2, 0)
| SuspicionScore > 0
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ReverseShell, DownloadExec, SubprocessExec, CodeExec, Obfuscation, SuspicionScore])
| sort(SuspicionScore, order=desc)
high severity medium confidence

Detects suspicious Python interpreter execution for T1059.006 using CrowdStrike Falcon ProcessRollup2 telemetry. Filters on python.exe, python3.exe, pythonw.exe, and Linux python/python3 binaries where the command line matches reverse shell indicators (socket.socket, pty.spawn), download-and-execute patterns (urllib, requests), subprocess abuse (os.system, subprocess.Popen), dynamic code execution (exec, eval, compile, __import__), or obfuscation (base64.b64decode, codecs.decode). Computes a weighted suspicion score per event.

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events)Falcon sensor telemetry for Windows (python.exe, pythonw.exe) and Linux (python, python3)

Required Tables

ProcessRollup2

False Positives & Tuning

  • Falcon-monitored developer workstations running Python-based tooling such as pytest, pip install hooks, or tox environments that invoke subprocess or exec internally
  • Python-based IT automation agents (Puppet, Chef, SaltStack minions) that use os.system or subprocess for configuration management tasks
  • Legitimate security research or red team tooling running in authorized test environments where PyInstaller or Nuitka is used to compile and distribute Python payloads under controlled conditions
Download portable Sigma rule (.yml)

Other platforms for T1059.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Python Reverse Shell One-Liner

    Expected signal: Auditd: EXECVE record for python3 with -c flag and socket.socket in arguments. Network connection attempt to 127.0.0.1:4444. MDE DeviceProcessEvents and DeviceNetworkEvents on managed endpoints.

  2. Test 2Python Download and Execute

    Expected signal: Sysmon Event ID 1: Process Create for python.exe with urllib in CommandLine. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080 (will fail without listener). The exec() call triggers even though download fails.

  3. Test 3Python Subprocess Command Execution

    Expected signal: Sysmon Event ID 1: Process Create for python.exe with subprocess.Popen in CommandLine. Child process event for cmd.exe spawned by python.exe.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1059.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1059.001PowerShellT1105Ingress Tool TransferT1071.001Web ProtocolsT1027.002Software PackingT1021.004SSH

Same Tactic: Execution

Popular Detections