← Back to SOC feed Coverage →

Python Spawning Pretty TTY on Windows

sigma HIGH SigmaHQ
T1059
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects python spawning a pretty tty

Detection Rule

Sigma (Original)

title: Python Spawning Pretty TTY on Windows
id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
related:
    - id: 899133d5-4d7c-4a7f-94ee-27355c879d90
      type: derived
status: test
description: Detects python spawning a pretty tty
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - 'python.exe' # no \ bc of e.g. ipython.exe
            - 'python3.exe'
            - 'python2.exe'
    selection_cli_1:
        CommandLine|contains|all:
            - 'import pty'
            - '.spawn('
    selection_cli_2:
        CommandLine|contains: 'from pty import spawn'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "python.exe" or TargetProcessName endswith "python3.exe" or TargetProcessName endswith "python2.exe") and ((TargetProcessCommandLine contains "import pty" and TargetProcessCommandLine contains ".spawn(") or TargetProcessCommandLine contains "from pty import spawn")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml