python-based-attacks-on-macos

Hunt Hypothesis

Adversaries may leverage Python, a pre-installed language on macOS, to execute malicious scripts and establish persistence. SOC teams should proactively hunt for this behavior to detect and mitigate potential Python-based attacks that exploit the native language environment.

KQL Query

DeviceProcessEvents
| where InitiatingProcessParentFileName in ("Microsoft Word", "Microsoft Excel")
| where FileName =~ "Python"
| where ProcessCommandLine matches regex "[A-Za-z0-9]{50}"

Analytic Rule Definition

id: 5a227ae6-1f40-499a-a4cc-6f6a0cc4d286
name: python-based-attacks-on-macos
description: |
  This query was originally published in the threat analytics report, Python abuse on macOS
  The Python programming language comes bundled with macOS. In threat intelligence gathered from macOS endpoints, we have observed numerous attacks run with EmPyre, a Python-based post-exploitation framework similar to PowerShell Empire for Windows.
  The following query checks for Microsoft Office documents that run Python scripts.
  Reference - https://www.powershellempire.com/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  DeviceProcessEvents
  | where InitiatingProcessParentFileName in ("Microsoft Word", "Microsoft Excel")
  | where FileName =~ "Python"
  | where ProcessCommandLine matches regex "[A-Za-z0-9]{50}"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Execution/python-based-attacks-on-macos.yaml)

False Positive Guidance

Scenario: System Maintenance Script Using Python
Description: A system administrator uses a Python script to automate routine maintenance tasks, such as log rotation or disk cleanup.
Filter/Exclusion: `process.name != “python” OR process.name == “python” AND process.args contains “maintenance” OR process.args contains “logrotate”
Scenario: Scheduled Job for Software Updates
Description: A legitimate scheduled job runs a Python script to check for and install software updates on macOS systems.
Filter/Exclusion: `process.name == “python” AND process.args contains “update” OR process.args contains “pkg” OR process.args contains “softwareupdate”
Scenario: Python-Based DevOps Pipeline Task
Description: A DevOps engineer uses Python to run CI/CD pipeline tasks, such as deploying code or running tests, on macOS build servers.
Filter/Exclusion: `process.name == “python” AND process.args contains “ci” OR process.args contains “deploy” OR process.args contains “test”
Scenario: Python Script for System Monitoring
Description: A monitoring tool written in Python is used to collect system metrics (CPU, memory, disk usage) on macOS endpoints.
Filter/Exclusion: `process.name == “python” AND process.args contains “monitor” OR process.args contains “stats” OR process.args contains “collect”
Scenario: Python Tool for Package Management
Description: A Python-based tool like pip or easy_install is used to manage Python packages on macOS development machines.
Filter/Exclusion: `process.name == “python” AND process.args contains “pip” OR process.args contains “install” OR process.args contains “upgrade”