Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Python Initiated Connection

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Dec 10Updated Wed Mar 05bef0bc5a-b9ae-425d-85c6-7b2d705980c6windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Definition

Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type

Detection Logic
Detection Logic5 selectors
detection:
    selection:
        Initiated: 'true'
        Image|contains|all:
            - '\python'
            - '.exe'
    filter_optional_conda:
        # Related to anaconda updates. Command example: "conda update conda"
        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
        ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
        CommandLine|contains|all:
            - ':\ProgramData\Anaconda3\Scripts\conda-script.py'
            - 'update'
    filter_optional_conda_jupyter_notebook:
        # Related to anaconda opening an instance of Jupyter Notebook
        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
        ParentImage: C:\ProgramData\Anaconda3\python.exe
        CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
    filter_main_local_communication:
        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
        DestinationIp: 127.0.0.1
        SourceIp: 127.0.0.1
    filter_main_pip:
        CommandLine|contains|all:
            - 'pip.exe'
            - 'install'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.

References
1
Resolving title…
github.com
2
Resolving title…
pypi.org
MITRE ATT&CK
Rule Metadata
Rule ID
bef0bc5a-b9ae-425d-85c6-7b2d705980c6
Status
test
Level
medium
Type
Detection
Created
Fri Dec 10
Modified
Wed Mar 05
Author
François Hubaut
Path
rules/windows/network_connection/net_connection_win_python.yml
Raw Tags
attack.discoveryattack.t1046
View on GitHub