Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Python Spawning Pretty TTY on Windows

Detects python spawning a pretty tty

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nextron SystemsCreated Fri Jun 03480e7e51-e797-47e3-8d72-ebfce65b6d8dwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        Image|endswith:
            - 'python.exe' # no \ bc of e.g. ipython.exe
            - 'python3.exe'
            - 'python2.exe'
    selection_cli_1:
        CommandLine|contains|all:
            - 'import pty'
            - '.spawn('
    selection_cli_2:
        CommandLine|contains: 'from pty import spawn'
    condition: selection_img and 1 of selection_cli_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
volexity.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Python Inline Command Execution

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
480e7e51-e797-47e3-8d72-ebfce65b6d8d
Status
test
Level
high
Type
Detection
Created
Fri Jun 03
Author
Nextron Systems
Path
rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml
Raw Tags
attack.executionattack.t1059
View on GitHub