Python executed with suspicious arguments
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect Python code being provided and executed on the command line using the -c flag.
Strategy
Python code can be specified on the command line using the -c flag. Attackers may use this to run “one-liners” which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as socket and subprocess are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.
Triage and response
- Review the process tree and identify if the Python command is expected.
- If the command is not expected, contain the host or container and roll back to a known good configuration.
- Start the incident response process and determine the initial entry point.
Requires Agent version 7.27 or greater
