Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1059.006 | Python |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059.006 | Python |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement protects against Python through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1059.006 | Python | |
| CM-05 | Access Restrictions for Change | mitigates | T1059.006 | Python | |
| AC-17 | Remote Access | mitigates | T1059.006 | Python | |
| CM-11 | User-installed Software | mitigates | T1059.006 | Python | |
| SI-16 | Memory Protection | mitigates | T1059.006 | Python | |
| SI-02 | Flaw Remediation | mitigates | T1059.006 | Python | |
| SI-10 | Information Input Validation | mitigates | T1059.006 | Python | |
| SI-03 | Malicious Code Protection | mitigates | T1059.006 | Python | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1059.006 | Python | |
| CM-02 | Baseline Configuration | mitigates | T1059.006 | Python | |
| SI-04 | System Monitoring | mitigates | T1059.006 | Python | |
| AC-02 | Account Management | mitigates | T1059.006 | Python | |
| AC-03 | Access Enforcement | mitigates | T1059.006 | Python | |
| AC-06 | Least Privilege | mitigates | T1059.006 | Python | |
| CM-03 | Configuration Change Control | mitigates | T1059.006 | Python |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1059.006 | Python |