Skip to content

T1059.006 Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Item Value
ID T1059.006
Sub-techniques T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009
Tactics TA0002
Platforms Linux, Windows, macOS
Permissions required Administrator, SYSTEM, root
Version 1.0
Created 09 March 2020
Last Modified 26 July 2021

Procedure Examples

ID Name Description
G0016 APT29 APT29 has developed malware variants written in Python.39
G0067 APT37 APT37 has used Python scripts to execute payloads.37
G0087 APT39 APT39 has used a command line utility and a network scanner written in python.3334
S0234 Bandook Bandook can support commands to execute Python-based payloads.29
G0060 BRONZE BUTLER BRONZE BUTLER has made use of Python-based remote access tools.42
S0482 Bundlore Bundlore has used Python scripts to execute payloads.28
S0631 Chaes Chaes has used Python scripts for execution and the installation of additional files.9
S0154 Cobalt Strike Cobalt Strike can use Python to perform execution.12141315
S0369 CoinTicker CoinTicker executes a Python script to download its second stage.18
S0492 CookieMiner CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.21
S0695 Donut Donut can generate shellcode outputs that execute via Python.4
G0035 Dragonfly Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.38
S0547 DropBook DropBook is a Python-based backdoor compiled with PyInstaller.8
G1006 Earth Lusca Earth Lusca used Python scripts for port scanning or building reverse shells.32
S0377 Ebury Ebury has used Python to implement its DGA.10
S0581 IronNetInjector IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.2
S0387 KeyBoy KeyBoy uses Python scripts for installing files and performing execution.17
S0276 Keydnap Keydnap uses Python for scripting to execute additional commands.16
G0094 Kimsuky Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.4344
S0409 Machete Machete is written in Python and is used in conjunction with additional Python scripts.242526
G0095 Machete Machete used multiple compiled Python scripts on the victim’s system. Machete‘s main backdoor Machete is also written in Python.362426
S0459 MechaFlounder MechaFlounder uses a python-based payload.22
G0069 MuddyWater MuddyWater has used developed tools in Python including Out1.45
C0014 Operation Wocao During Operation Wocao, threat actors’ backdoors were written in Python and compiled with py2exe.46
S0428 PoetRAT PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.30
S0196 PUNCHBUGGY PUNCHBUGGY has used python scripts.19
S0192 Pupy Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.1
S1032 PyDCrypt PyDCrypt, along with its functions, is written in Python.23
S0583 Pysa Pysa has used Python scripts to deploy ransomware.27
S0332 Remcos Remcos uses Python scripts.3
G0106 Rocke Rocke has used Python-based malware to install and spread their coinminer.35
S0692 SILENTTRINITY SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.56
S1035 Small Sieve Small Sieve can use Python scripts to execute commands.7
S0374 SpeakUp SpeakUp uses Python scripts.20
G0131 Tonto Team Tonto Team has used Python-based tools for execution.31
S0647 Turian Turian has the ability to use Python to spawn a Unix shell.11
G0010 Turla Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.2
G0128 ZIRCONIUM ZIRCONIUM has used Python-based implants to interact with compromised hosts.4041

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically quarantine suspicious files.
M1047 Audit Inventory systems for unauthorized Python installations.
M1038 Execution Prevention Denylist Python where not required.
M1033 Limit Software Installation Prevent users from installing Python where not required.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

References

  1. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  2. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. 

  3. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. 

  4. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  5. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022. 

  6. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  7. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. 

  8. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  9. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  10. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. 

  11. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  12. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. 

  13. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  14. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. 

  15. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  16. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018. 

  17. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. 

  18. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. 

  19. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. 

  20. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. 

  21. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  22. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. 

  23. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. 

  24. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  25. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  26. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  27. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. 

  28. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  29. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  30. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  31. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. 

  32. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  33. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  34. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  35. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  36. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  37. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  38. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  39. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. 

  40. Huntley, S. (2020, October 16). How We’re Tackling Evolving Online Threats. Retrieved March 24, 2021. 

  41. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  42. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  43. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  44. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  45. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  46. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.