detection-rules
Loading

Suspicious Outbound Python Network Connection

Detects the execution of Python followed by an outbound network connection to a raw IP address on a non-standard port. Many Python initial access scripts and malware implants connect directly to C2 or payload servers using non-standard ports.

Rule type: eql
Rule indices:

  • logs-endpoint.events.process-*
  • logs-endpoint.events.network-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Endpoint
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Tactic: Execution
  • Data Source: Elastic Defend

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

sequence by process.entity_id with maxspan=1m
  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
    process.name like~ "Python*" and process.args_count == 2]
  [network where host.os.type == "macos" and event.type == "start" and
    process.name like~ "Python*" and destination.domain == null and
    not destination.port in (443, 80, 53, 22, 8080, 8089, 8200, 9200) and
    destination.port < 49152 and
    not cidrmatch(destination.ip, "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", "198.19.0.0/16",
                  "192.18.0.0/15", "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16",
                  "172.16.0.0/12", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
                  "192.168.0.0/16", "192.88.99.0/24", "100.64.0.0/10", "192.175.48.0/24",
                  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "::1", "FE80::/10", "FF00::/8")]

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK