detection.wiki

Detection rules › Sigma

Python Initiated Connection

Severity
medium
Author
frack113
Source
upstream

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1046 Network Service Discovery

Event coverage

ProviderEvent IDTitle
Sysmon3Network connection

Stages and Predicates

Stage 1: selection

Image|contains: .exe
Image|contains: '\python'
Initiated: true

Stage 2: not 1 of filter_main_*

or:
CommandLine|contains: install
CommandLine|contains: pip.exe
DestinationIp: 127.0.0.1
SourceIp: 127.0.0.1

Stage 3: not 1 of filter_optional_*

or:
CommandLine|contains: ':\ProgramData\Anaconda3\Scripts\conda-script.py'
CommandLine|contains: update
ParentImage: 'C:\ProgramData\Anaconda3\Scripts\conda.exe'
CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
ParentImage: 'C:\ProgramData\Anaconda3\python.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • :\ProgramData\Anaconda3\Scripts\conda-script.py
  • C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py
  • install corpus 4 (sigma 4)
  • pip.exe
  • update corpus 2 (sigma 2)
DestinationIpeq
  • 127.0.0.1 corpus 2 (sigma 2)
Imagematch
  • .exe
  • \python corpus 2 (sigma 2)
Initiatedeq
  • true corpus 40 (sigma 40)
ParentImageeq
  • C:\ProgramData\Anaconda3\Scripts\conda.exe
  • C:\ProgramData\Anaconda3\python.exe
SourceIpeq
  • 127.0.0.1 corpus 5 (sigma 5)