Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Python
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Python
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Command and Scripting Interpreter:  Python

ID Название
.001 PowerShell
.002 AppleScript
.003 Командная оболочка Windows
.004 Командная оболочка Unix
.005 Visual Basic
.006 Python
.007 JavaScript/JScript
.008 Интерпретаторы командной строки сетевых устройств

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

ID: T1059.006
Относится к технике:  T1059
Тактика(-и): Execution
Платформы: Linux, macOS, Windows
Требуемые разрешения: Administrator, root, SYSTEM
Источники данных: Command: Command Execution, Process: Process Creation
Версия: 1.0
Дата создания: 09 Mar 2020
Последнее изменение: 26 Jul 2021

Примеры процедур
Название Описание
IronNetInjector

IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.(Citation: Unit 42 IronNetInjector February 2021 )
DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)
PUNCHBUGGY

PUNCHBUGGY has used python scripts.(Citation: Morphisec ShellTea June 2019)
APT37

APT37 has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)
BRONZE BUTLER

BRONZE BUTLER has made use of Python-based remote access tools.(Citation: Trend Micro Tick November 2019)
Donut

Donut can generate shellcode outputs that execute via Python.(Citation: Donut Github)

SpeakUp

SpeakUp uses Python scripts.(Citation: CheckPoint SpeakUp Feb 2019)
Tonto Team

Tonto Team has used Python-based tools for execution.(Citation: TrendMicro Tonto Team October 2020)

PyDCrypt

PyDCrypt, along with its functions, is written in Python.(Citation: Checkpoint MosesStaff Nov 2021)
ZIRCONIUM

ZIRCONIUM has used Python-based implants to interact with compromised hosts.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)
Pysa

Pysa has used Python scripts to deploy ransomware.(Citation: CERT-FR PYSA April 2020)
KeyBoy

KeyBoy uses Python scripts for installing files and performing execution.(Citation: CitizenLab KeyBoy Nov 2016)
Rocke

Rocke has used Python-based malware to install and spread their coinminer.(Citation: Anomali Rocke March 2019)
Machete

Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)
Remcos

Remcos uses Python scripts.(Citation: Riskiq Remcos Jan 2018)
TRITON

TRITON was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag.(Citation: FireEye TRITON 2017)
Bundlore

Bundlore has used Python scripts to execute payloads.(Citation: MacKeeper Bundlore Apr 2019)
Earth Lusca

Earth Lusca used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)
Small Sieve

Small Sieve can use Python scripts to execute commands.(Citation: NCSC GCHQ Small Sieve Jan 2022)
Cobalt Strike

Cobalt Strike can use Python to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)
SILENTTRINITY

SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.(Citation: GitHub SILENTTRINITY March 2022)(Citation: GitHub SILENTTRINITY Modules July 2019)
Chaes

Chaes has used Python scripts for execution and the installation of additional files.(Citation: Cybereason Chaes Nov 2020)

MuddyWater

MuddyWater has used developed tools in Python including Out1.(Citation: Trend Micro Muddy Water March 2021)

During Operation Wocao, threat actors' backdoors were written in Python and compiled with py2exe.(Citation: FoxIT Wocao December 2019)
MechaFlounder

MechaFlounder uses a python-based payload.(Citation: Unit 42 MechaFlounder March 2019)
Turian

Turian has the ability to use Python to spawn a Unix shell.(Citation: ESET BackdoorDiplomacy Jun 2021)
Turla

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.(Citation: Unit 42 IronNetInjector February 2021 )
Dragonfly 2.0

Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)
APT29

APT29 has developed malware variants written in Python.(Citation: ESET Dukes October 2019)
CoinTicker

CoinTicker executes a Python script to download its second stage.(Citation: CoinTicker 2019)
Pupy

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.(Citation: GitHub Pupy)
Ebury

Ebury has used Python to implement its DGA.(Citation: ESET Ebury Oct 2017)

APT39

APT39 has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)
Bandook

Bandook can support commands to execute Python-based payloads.(Citation: CheckPoint Bandook Nov 2020)
Machete

Machete is written in Python and is used in conjunction with additional Python scripts.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)
PoetRAT

PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.(Citation: Talos PoetRAT April 2020)
Cobalt Strike

Cobalt Strike can use Python to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
CookieMiner

CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre.(Citation: Unit42 CookieMiner Jan 2019)
Keydnap

Keydnap uses Python for scripting to execute additional commands.(Citation: synack 2016 review)
Operation Wocao

Operation Wocao's backdoors have been written in Python and compiled with py2exe.(Citation: FoxIT Wocao December 2019)
Dragonfly

Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)
Kimsuky

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)

Контрмеры
Контрмера Описание
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.
Limit Software Installation

Block users or groups from installing unapproved software.
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Обнаружение

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Ссылки

  1. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  2. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  3. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  4. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  5. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  6. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  7. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  8. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  9. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  10. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  11. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  12. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  13. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  14. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  15. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  16. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  17. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  18. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  19. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  20. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  21. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  22. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  23. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  24. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  25. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  26. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  27. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  28. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  29. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  30. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  31. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  32. Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.
  33. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  34. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  35. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  36. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  37. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  38. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  39. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  40. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  41. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  42. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  43. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  44. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  45. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  46. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  47. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.
  48. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  49. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.