POLICY-OTHER PyYAML Python object serialization attempt
This rule detects the attempted download of a YAML file that contains a serialized Python object by looking for the syntax used to create a new Python object. This rule is in response to the ability to run arbitrary code via the object deserialization process in PyYAML when loading untrusted YAML files without using a safe YAML load method.
What To Look For
This rule detects the attempted download of a YAML file that contains a serialized Python object.
No public information
No known false positives
Cisco Talos Intelligence Group