Skip to content
Threat Feed
medium advisory

First Time Python Spawned a Shell on macOS Host

This rule detects the first time a Python process spawns a shell on a given macOS host using the `-c` flag, indicating potential malicious activity stemming from compromised Python environments.

This detection identifies the initial instance of a Python process spawning a shell on a macOS host. Attackers often leverage Python code execution, gained through malicious scripts, compromised dependencies, or insecure model file deserialization (e.g., pickle/PyTorch __reduce__), to spawn shell processes. These shell processes are then used for reconnaissance, credential theft, persistence, or establishing reverse shells. The rule specifically looks for shell invocations using the -c flag, which is often used to execute commands directly within the shell. Given that legitimate Python workflows typically avoid using -c to execute shell commands, the first appearance of such behavior on a host is a significant indicator of a potential compromise. The rule leverages a 7-day window to establish the first occurrence baseline.

Attack Chain

  1. Attacker gains initial access to a macOS system via methods such as phishing or exploiting a vulnerable service.
  2. Attacker uploads or introduces a malicious Python script or compromises an existing Python dependency.
  3. The malicious Python script is executed. This could occur via a user executing the script, a cron job, or a compromised application loading the script.
  4. The Python script uses the subprocess module or a similar function to spawn a shell process (e.g., bash, sh, zsh) with the -c flag.
  5. The shell executes a command provided by the Python script, such as system reconnaissance (whoami, ifconfig), credential access (security dump-keychain), or persistence mechanisms.
  6. The attacker may establish a reverse shell to maintain access to the compromised system.
  7. The attacker performs lateral movement or exfiltrates sensitive data.

Impact

Successful exploitation can lead to a wide range of consequences, including unauthorized access to sensitive data, system compromise, and lateral movement within the network. While specific victim counts or sectors targeted are not provided, the attack could impact any macOS environment where Python is used, particularly those handling sensitive information or running custom Python scripts.

Recommendation

  • Deploy the Sigma rule Python Shell Spawned with -c to your SIEM to detect the behavior described in this brief and tune for your environment.
  • Enable Sysmon process creation logging to ensure the process_creation log category is populated, allowing for accurate detection using the provided Sigma rules.
  • Investigate any alerts generated by the Sigma rule, focusing on the parent Python process and the executed shell command to understand the context of the activity.
  • Implement weights_only=True enforcement for PyTorch model loading across the environment, as referenced in the "https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/" reference.

Detection coverage 2

Python Shell Spawned with -c

high

Detects Python spawning a shell with the -c flag on macOS

sigma tactics: execution techniques: T1059.006 sources: process_creation, macos

Suspicious Python Subprocess Execution

medium

Detects potentially malicious Python subprocess execution on macOS

sigma tactics: execution techniques: T1059.006 sources: process_creation, macos

Detection queries are available on the platform. Get full rules →