python-use-by-ransomware-macos

Hunt Hypothesis

Adversaries may use Python scripts to execute ransomware payloads on macOS systems, leveraging the language’s common presence to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging macOS ransomware threats before they encrypt critical data.

KQL Query

union DeviceFileEvents, DeviceProcessEvents  
| where Timestamp >= ago(7d)  
| where ProcessCommandLine contains "EIKKEIKK" and ProcessCommandLine contains "python"

Analytic Rule Definition

id: 8d52dce6-6143-44e9-8ff5-a62f2df742b2
name: python-use-by-ransomware-macos
description: |
  This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware.
  As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform.
  The query below can help locate an attempt to run Python in service of malicious activity by a remote operator. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections.
  Other queries related to EvilQuest ransomware can be found under the See also section below.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
  - DeviceProcessEvents
tactics:
- Execution
- Command and control
query: |
  union DeviceFileEvents, DeviceProcessEvents  
  | where Timestamp >= ago(7d)  
  | where ProcessCommandLine contains "EIKKEIKK" and ProcessCommandLine contains "python"

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Command and control

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Command and Control/python-use-by-ransomware-macos.yaml)

False Positive Guidance

Scenario: System Integrity Protection (SIP) Bypass Tool Usage
Description: A legitimate system administrator may use tools like sudo or csrutil to temporarily disable SIP for system updates or configuration changes.
Filter/Exclusion: Exclude processes where the command includes csrutil disable or sudo with specific known administrative tasks (e.g., sudo softwareupdate --install).
Scenario: Scheduled System Maintenance Job
Description: A scheduled job using launchd or cron may execute Python scripts for system maintenance, such as log rotation or backup, which could trigger the rule.
Filter/Exclusion: Exclude processes with launchd or cron in the command line, or filter by known maintenance scripts (e.g., /usr/libexec/launchd or /etc/cron.daily/).
Scenario: Python-based DevOps Tooling
Description: DevOps tools like Ansible, Terraform, or Jenkins may run Python scripts for infrastructure automation, which could be flagged as suspicious.
Filter/Exclusion: Exclude processes where the command includes ansible, terraform, or jenkins in the command line, or filter by known DevOps directories (e.g., /opt/ansible/, /var/lib/jenkins/).
Scenario: macOS System Diagnostics or Repair Tool
Description: Tools like fsck, diskutil, or launchctl may run Python scripts for disk repair or service management, which could be mistaken for ransomware.
Filter/Exclusion: Exclude processes with fsck, diskutil, or launchctl in the command line, or filter by system repair tools (e.g., /sbin/fsck, /usr/sbin/diskutil).
Scenario: Python-based Security Tool or Scan