Inline Python Execution - Spawn Shell Via OS System Library

Title: Inline Python Execution - Spawn Shell Via OS System Library
Status: experimental
Description:Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
References:
  -https://gtfobins.github.io/gtfobins/python/#shell
Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
Date: 2024-09-02
modified:None
Tags:

• -'attack.execution'
• -'attack.t1059'

Logsource:

• category: process_creation
• product: linux

Detection:
  selection_img:
    - Image|endswith:
      - '/python'
      - '/python2'
      - '/python3'
    - Image|contains:
      - '/python2.'
      - '/python3.'
  selection_cli:
    CommandLine|contains|all:
      -' -c '
      -'os.system('

    CommandLine|contains:
      -'/bin/bash'
      -'/bin/dash'
      -'/bin/fish'
      -'/bin/sh'
      -'/bin/zsh'

  condition:all of selection_*
Falsepositives:
  -Unknown
Level: high