<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PyTorch Foundation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/pytorch-foundation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jul 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/pytorch-foundation/feed.xml" rel="self" type="application/rss+xml"/><item><title>First Time Python Spawned a Shell on macOS Host</title><link>https://feed.craftedsignal.io/briefs/2024-07-python-shell-macos/</link><pubDate>Tue, 02 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-python-shell-macos/</guid><description>This rule detects the first time a Python process spawns a shell on a given macOS host using the `-c` flag, indicating potential malicious activity stemming from compromised Python environments.</description><content:encoded><![CDATA[<p>This detection identifies the initial instance of a Python process spawning a shell on a macOS host. Attackers often leverage Python code execution, gained through malicious scripts, compromised dependencies, or insecure model file deserialization (e.g., pickle/PyTorch <code>__reduce__</code>), to spawn shell processes. These shell processes are then used for reconnaissance, credential theft, persistence, or establishing reverse shells. The rule specifically looks for shell invocations using the <code>-c</code> flag, which is often used to execute commands directly within the shell. Given that legitimate Python workflows typically avoid using <code>-c</code> to execute shell commands, the first appearance of such behavior on a host is a significant indicator of a potential compromise. The rule leverages a 7-day window to establish the first occurrence baseline.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to a macOS system via methods such as phishing or exploiting a vulnerable service.</li>
<li>Attacker uploads or introduces a malicious Python script or compromises an existing Python dependency.</li>
<li>The malicious Python script is executed. This could occur via a user executing the script, a cron job, or a compromised application loading the script.</li>
<li>The Python script uses the <code>subprocess</code> module or a similar function to spawn a shell process (e.g., bash, sh, zsh) with the <code>-c</code> flag.</li>
<li>The shell executes a command provided by the Python script, such as system reconnaissance (<code>whoami</code>, <code>ifconfig</code>), credential access (<code>security dump-keychain</code>), or persistence mechanisms.</li>
<li>The attacker may establish a reverse shell to maintain access to the compromised system.</li>
<li>The attacker performs lateral movement or exfiltrates sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to a wide range of consequences, including unauthorized access to sensitive data, system compromise, and lateral movement within the network. While specific victim counts or sectors targeted are not provided, the attack could impact any macOS environment where Python is used, particularly those handling sensitive information or running custom Python scripts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Python Shell Spawned with -c</code> to your SIEM to detect the behavior described in this brief and tune for your environment.</li>
<li>Enable Sysmon process creation logging to ensure the <code>process_creation</code> log category is populated, allowing for accurate detection using the provided Sigma rules.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the parent Python process and the executed shell command to understand the context of the activity.</li>
<li>Implement <code>weights_only=True</code> enforcement for PyTorch model loading across the environment, as referenced in the &quot;https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/&quot; reference.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>execution</category><category>macos</category><category>python</category></item></channel></rss>