Detect Python in Splunk
Adversaries may abuse Python commands and scripts for execution. Python is a cross-platform scripting language that can be executed interactively from the command-line (via python.exe/python3), via scripts (.py), or compiled into binary executables. Python's built-in libraries for file operations, networking (socket, urllib, requests), and system interaction make it a powerful tool for adversaries. Threat actors including APT31, APT37, MuddyWater, and Contagious Interview have used Python-based implants, reverse shells, and backdoors across Windows, Linux, macOS, and ESXi environments.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.006 Python
- Canonical reference
- https://attack.mitre.org/techniques/T1059/006/
SPL Detection Query
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\pythonw.exe"))
OR
(index=linux sourcetype="linux:auditd" type=EXECVE (a0="*python*" OR a0="*python3*"))
| eval cmdline=coalesce(CommandLine, a1." ".a2." ".a3)
| eval cmdline_lower=lower(cmdline)
| eval ReverseShell=if(match(cmdline_lower, "(socket\.socket|pty\.spawn|/bin/sh|reverse_shell)"), 1, 0)
| eval DownloadExec=if(match(cmdline_lower, "(urllib|requests\.get|http\.client)"), 1, 0)
| eval SubprocessExec=if(match(cmdline_lower, "(subprocess\.(call|popen|run)|os\.system|os\.popen)"), 1, 0)
| eval CodeExec=if(match(cmdline_lower, "(exec\(|eval\(|compile\(|__import__)"), 1, 0)
| eval SuspicionScore=ReverseShell*3 + DownloadExec*2 + SubprocessExec + CodeExec*2
| where SuspicionScore > 0
| table _time, host, User, Image, cmdline, ParentImage, ReverseShell, DownloadExec, SubprocessExec, CodeExec, SuspicionScore
| sort - SuspicionScore, - _timeDetects suspicious Python execution from both Windows (Sysmon Event ID 1) and Linux (auditd) sources. Evaluates for reverse shells, network downloads, subprocess execution, and dynamic code evaluation. Weighted scoring prioritizes reverse shells (3x) and dynamic code execution (2x).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Developers and data scientists running Python scripts with networking or subprocess libraries
- DevOps automation tools (Ansible, SaltStack) executing Python for system configuration
- CI/CD pipelines running Python test suites with subprocess calls
- Monitoring agents written in Python
Other platforms for T1059.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Python Reverse Shell One-Liner
Expected signal: Auditd: EXECVE record for python3 with -c flag and socket.socket in arguments. Network connection attempt to 127.0.0.1:4444. MDE DeviceProcessEvents and DeviceNetworkEvents on managed endpoints.
- Test 2Python Download and Execute
Expected signal: Sysmon Event ID 1: Process Create for python.exe with urllib in CommandLine. Sysmon Event ID 3: Network Connection to 127.0.0.1:8080 (will fail without listener). The exec() call triggers even though download fails.
- Test 3Python Subprocess Command Execution
Expected signal: Sysmon Event ID 1: Process Create for python.exe with subprocess.Popen in CommandLine. Child process event for cmd.exe spawned by python.exe.
References (5)
- https://attack.mitre.org/techniques/T1059/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md
- https://www.revshells.com/
- https://github.com/fortra/impacket
- https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online
Unlock Pro Content
Get the full detection package for T1059.006 including response playbook, investigation guide, and atomic red team tests.