Detectionmediumtest
Potential Python DLL SideLoading
Detects potential DLL sideloading of Python DLL files.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan PoudelCreated Sun Oct 06Updated Mon Aug 18d36f7c12-14a3-4d48-b6b8-774b9c66f44dwindows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic7 selectors
detection:
selection:
ImageLoaded|endswith:
- '\python39.dll'
- '\python310.dll'
- '\python311.dll'
- '\python312.dll'
filter_main_default_install_paths:
- ImageLoaded|startswith:
- 'C:\Program Files\Python3'
- 'C:\Program Files (x86)\Python3'
- ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
filter_optional_visual_studio:
ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_anaconda:
ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_cpython:
ImageLoaded|contains:
- '\cpython\externals\'
- '\cpython\PCbuild\'
filter_optional_pyinstaller:
# Triggered by programs bundled with PyInstaller
ImageLoaded|startswith: 'C:\Users'
ImageLoaded|contains: '\AppData\Local\Temp\_MEI'
filter_main_legit_signature_details:
Product: 'Python'
Signed: 'true'
Description: 'Python'
Company: 'Python Software Foundation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate software using Python DLLs
MITRE ATT&CK
Rule Metadata
Rule ID
d36f7c12-14a3-4d48-b6b8-774b9c66f44d
Status
test
Level
medium
Type
Detection
Created
Sun Oct 06
Modified
Mon Aug 18
Path
rules/windows/image_load/image_load_side_load_python.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001