sigma Adjust 'Python Spawning Pretty TTY' to detect ways to circumvent detection

Adjust 'Python Spawning Pretty TTY' to detect ways to circumvent detection

Open wieso-itzi opened this issue 4 months ago • 0 comments

Summary of the Pull Request

The detection rule which aims to detect the spawning of a Python Pretty TTY (example: python3 -c 'import pty;pty.spawn("/bin/bash")') can be avoided by attackers by assigning the spawn function to a variable before calling it. The modified rule is more strict so it detects this. 2 examples, the previous iteration of this detection rule did not catch, which should be detected now, are as follows:

python3 -c 'from pty import os, spawn; test=spawn; test("/bin/bash")'
python3 -c 'import pty; test=pty.spawn; test("/bin/bash")'

Changelog

fix: Python Spawning Pretty TTY - detect usage of pty.spawn even if it was assigned to a variable

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

Oct 10 '24 12:10 wieso-itzi

sigma sigma copied to clipboard

Adjust 'Python Spawning Pretty TTY' to detect ways to circumvent detection

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

sigma
sigma copied to clipboard