| ID | Technique | Tactic |
|---|---|---|
| T1059 | Command and Scripting Interpreter | Execution |
Detection: Cisco NVM - Installation of Typosquatted Python Package
Description
This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered.
Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones.
This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the "install" or "add" flags, making outbound connections to package repository such as pypi.org with known or suspected typo package names.
Search
1`cisco_network_visibility_module_flowdata`
2dest_hostname IN ("*.pythonhosted.org", "*pypi.org", "*python-poetry.org")
3(
4 (process_arguments = "*pip*" process_arguments = "*install*")
5 OR
6 (process_arguments = "*poetry*" process_arguments = "*add*")
7)
8
9| rex field=process_arguments "(?i)(?:pip
10|poetry)[^
11|]*?\s+(?:install
12|add)\s+(?P<package_name>[^\s\"']+)$"
13
14| lookup typo_squatted_python_packages
15 typosquatted_package_name as package_name
16 OUTPUTNEW comment package_official_url
17
18| where isnotnull(comment)
19
20| stats count min(_time) as firstTime max(_time) as lastTime
21 values(parent_process_arguments) as parent_process_arguments
22 values(process_arguments) as process_arguments
23 values(parent_process_hash) as parent_process_hash
24 values(process_hash) as process_hash
25 values(module_name_list) as module_name_list
26 values(module_hash_list) as module_hash_list
27 values(dest_port) as dest_port
28 values(aliul) as additional_logged_in_users_list
29 values(dest_hostname) as dest_hostname
30 by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport package_name comment package_official_url
31
32| `security_content_ctime(firstTime)`
33
34| `security_content_ctime(lastTime)`
35
36| table firstTime lastTime src dest_hostname dest dest_port transport package_name comment package_official_url
37 parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
38 process_integrity_level process_path process_name process_arguments process_hash process_id
39 additional_logged_in_users_list module_name_list module_hash_list
40
41| `cisco_nvm___installation_of_typosquatted_python_package_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
'cisco:nvm:flowdata' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___installation_of_typosquatted_python_package_filter | search * |
cisco_nvm___installation_of_typosquatted_python_package_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
In addition to this, the search make use of the lookup "typo_squatted_python_packages". Which needs to be configured and tuned.
Known False Positives
False positives should be very minimal to non existent, as the names of the packages in the lookup are all extracted from previously malicious packages.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Host $src$ used pip or poetry to install a likely typosquatted python package $package_name$ from $dest_hostname$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 60 | process_name |
References
-
https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/
-
https://blog.checkpoint.com/securing-the-cloud/pypi-inundated-by-malicious-typosquatting-campaign/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1