First Time Python Spawned a Shell on macOS Host
This rule detects the first time a Python process spawns a shell on a given macOS host using the `-c` flag, indicating potential malicious activity stemming from compromised Python environments.
This detection identifies the initial instance of a Python process spawning a shell on a macOS host. Attackers often leverage Python code execution, gained through malicious scripts, compromised dependencies, or insecure model file deserialization (e.g., pickle/PyTorch __reduce__), to spawn shell processes. These shell processes are then used for reconnaissance, credential theft, persistence, or establishing reverse shells. The rule specifically looks for shell invocations using the -c flag, which is often used to execute commands directly within the shell. Given that legitimate Python workflows typically avoid using -c to execute shell commands, the first appearance of such behavior on a host is a significant indicator of a potential compromise. The rule leverages a 7-day window to establish the first occurrence baseline.
Attack Chain
- Attacker gains initial access to a macOS system via methods such as phishing or exploiting a vulnerable service.
- Attacker uploads or introduces a malicious Python script or compromises an existing Python dependency.
- The malicious Python script is executed. This could occur via a user executing the script, a cron job, or a compromised application loading the script.
- The Python script uses the
subprocessmodule or a similar function to spawn a shell process (e.g., bash, sh, zsh) with the-cflag. - The shell executes a command provided by the Python script, such as system reconnaissance (
whoami,ifconfig), credential access (security dump-keychain), or persistence mechanisms. - The attacker may establish a reverse shell to maintain access to the compromised system.
- The attacker performs lateral movement or exfiltrates sensitive data.
Impact
Successful exploitation can lead to a wide range of consequences, including unauthorized access to sensitive data, system compromise, and lateral movement within the network. While specific victim counts or sectors targeted are not provided, the attack could impact any macOS environment where Python is used, particularly those handling sensitive information or running custom Python scripts.
Recommendation
- Deploy the Sigma rule
Python Shell Spawned with -cto your SIEM to detect the behavior described in this brief and tune for your environment. - Enable Sysmon process creation logging to ensure the
process_creationlog category is populated, allowing for accurate detection using the provided Sigma rules. - Investigate any alerts generated by the Sigma rule, focusing on the parent Python process and the executed shell command to understand the context of the activity.
- Implement
weights_only=Trueenforcement for PyTorch model loading across the environment, as referenced in the "https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/" reference.
Detection coverage 2
Python Shell Spawned with -c
highDetects Python spawning a shell with the -c flag on macOS
Suspicious Python Subprocess Execution
mediumDetects potentially malicious Python subprocess execution on macOS
Detection queries are available on the platform. Get full rules →