Find sigma rule 
Attack: Command and Scripting Interpreter: Python
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
MITRE
Tactic
- execution
technique
- T1059.006
Test : Execute shell script via python’s command mode arguement
OS
- linux
Description:
Download and execute shell script and write to file then execute locally using Python -c (command mode)
Executor
sh