Merge PR #5042 from @wieso-itzi - Update Python PTY rules

wieso-itzi · nasbench · web-flow · commit 4f4ef7a8cc07 · 2024-11-04T12:15:00.000+01:00
update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage. 

---------

Signed-off-by: wieso-itzi &lt;85185077+wieso-itzi@users.noreply.github.com&gt;
Co-authored-by: nasbench &lt;8741929+nasbench@users.noreply.github.com&gt;
diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
@@ -1,15 +1,16 @@
-title: Python Spawning Pretty TTY
+title: Python Spawning Pretty TTY Via PTY Module
 id: c4042d54-110d-45dd-a0e1-05c47822c937
 related:
     - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
       type: similar
 status: test
-description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
+description: |
+    Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
 references:
     - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
 author: Nextron Systems
 date: 2022-06-03
-modified: 2023-06-16
+modified: 2024-11-04
 tags:
     - attack.execution
     - attack.t1059
@@ -25,13 +26,13 @@ detection:
         - Image|contains:
               - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
               - '/python3.'
-    selection_cli_1:
-        CommandLine|contains|all:
+    selection_cli_import:
+        CommandLine|contains:
             - 'import pty'
-            - '.spawn('
-    selection_cli_2:
-        CommandLine|contains: 'from pty import spawn'
-    condition: selection_img and 1 of selection_cli_*
+            - 'from pty '
+    selection_cli_spawn:
+        CommandLine|contains: 'spawn'
+    condition: all of selection_*
 falsepositives:
     - Unknown
-level: high
+level: medium
diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml
@@ -1,15 +1,16 @@
-title: Potential Python Reverse Shell
+title: Python Reverse Shell Execution Via PTY And Socket Modules
 id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
 related:
     - id: c4042d54-110d-45dd-a0e1-05c47822c937
       type: similar
 status: test
-description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell
+description: |
+    Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
 references:
-    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
     - https://www.revshells.com/
 author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
 date: 2023-04-24
+modified: 2024-11-04
 tags:
     - attack.execution
 logsource:
@@ -22,7 +23,8 @@ detection:
             - ' -c '
             - 'import'
             - 'pty'
-            - 'spawn('
+            - 'socket'
+            - 'spawn'
             - '.connect'
     condition: selection
 falsepositives:
