Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Python Image Load By Non-Python Process

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Python Image Load By Non-Python Process

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Python Image Load By Non-Python Process
id: cbb56d62-4060-40f7-9466-d8aaf3123f83
status: test
description: |
    Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.
    Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.
    Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
references:
    - https://www.py2exe.org/
    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
author: Patrick St. John, OTR (Open Threat Research)
date: 2020-05-03
modified: 2025-08-18
tags:
    - attack.defense-evasion
    - attack.t1027.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Description: 'Python Core'
    filter_main_generic:
        - Image|contains: 'Python'  # FPs with python38.dll, python.exe etc.
        - Image|startswith:
              - 'C:\Program Files\'
              - 'C:\Program Files (x86)\'
              - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
    filter_optional_null_image:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate Py2Exe Binaries
    - Known false positive caused with Python Anaconda
    - Various legitimate software is bundled from Python code into executables
level: low

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/image_load/image_load_susp_python_image_load.yml