The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Identifying Malicious Python Backdoors

Description:   Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)

What The Data Shows:  Known Back-doored Python Packages

SQL:  

select 
case cnt
when 0 then "NONE_INSTALLED"
else "INSTALLED"
end as "Malicious Python Packages",
package_name,package_version
from (select count(name) as cnt,
name as package_name,
version as package_version,
path as package_path
from python_packages
where package_name in ('acqusition','apidev-coop','bzip','crypt','django-server','pwd','setup-tools','telnet','urlib3','urllib'));

 

Credit: https://www.alibabacloud.com/blog/server-endpoint-security-with-osquery_594950

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved