Detectionlowtest
Python Image Load By Non-Python Process
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Patrick St. John, OTR (Open Threat Research)Created Sun May 03Updated Mon Aug 18cbb56d62-4060-40f7-9466-d8aaf3123f83windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic3 selectors
detection:
selection:
Description: 'Python Core'
filter_main_generic:
- Image|contains: 'Python' # FPs with python38.dll, python.exe etc.
- Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_null_image:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate Py2Exe Binaries
Known false positive caused with Python Anaconda
Various legitimate software is bundled from Python code into executables
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
cbb56d62-4060-40f7-9466-d8aaf3123f83
Status
test
Level
low
Type
Detection
Created
Sun May 03
Modified
Mon Aug 18
Path
rules/windows/image_load/image_load_susp_python_image_load.yml
Raw Tags
attack.defense-evasionattack.t1027.002