Unusual Library Load via Python

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/01/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when a Python process loads an unusual library from within the user's home directory where the file 
11is not a standard .so or .dylib file. This technique has been observed in APT campaigns by the Lazarus Group 
12and Slow Pisces to load malicious payloads.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unusual Library Load via Python"
19references = [
20    "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
21    "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34"
22]
23risk_score = 73
24rule_id = "ab9a334a-f2c3-4f49-879f-480de71020d3"
25severity = "high"
26tags = [
27    "Domain: Endpoint",
28    "OS: macOS",
29    "Use Case: Threat Detection",
30    "Tactic: Execution",
31    "Data Source: Elastic Defend",
32    "Resources: Investigation Guide"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating Unusual Library Load via Python
42
43Python's dynamic library loading capabilities allow code to import and execute shared libraries at runtime. Sophisticated threat actors, including APT groups like Lazarus and Slow Pisces, abuse this functionality to load malicious payloads disguised as Python modules from user directories. This detection rule identifies when Python loads libraries from user home directories that don't follow standard naming conventions (.so or .dylib), indicating potential malicious module loading.
44
45### Possible investigation steps
46
47- Examine the dll.path field to identify the full path of the library being loaded and determine if it is in an expected location for legitimate Python packages.
48- Analyze the dll.name to assess whether the file extension matches known malicious patterns or unusual naming conventions not typical for Python modules.
49- Calculate the hash of the loaded library file and search threat intelligence databases for known malicious indicators associated with Lazarus or Slow Pisces campaigns.
50- Review the process.executable and process.command_line to understand which Python script or application initiated the library load.
51- Examine the parent process hierarchy using process.parent.executable to trace back to the initial execution vector that launched the Python process.
52- Check for other files in the same directory as the loaded library that may be additional malware components or supporting payloads.
53- Review file creation timestamps to determine when the suspicious library was placed on the system and correlate with other security events.
54
55### False positive analysis
56
57- Some Python applications dynamically extract or compile extension modules during runtime, particularly scientific computing packages. Verify if the application is known to exhibit this behavior.
58- Development environments and IDEs may use unconventional library paths during testing and debugging. Confirm with development teams if such activities are expected.
59- PyQt and similar UI frameworks may load additional framework files from user directories. These are partially excluded in the query but may require additional tuning.
60- Pyenv and virtual environment setups may have libraries in non-standard locations. Review the paths against known virtual environment structures.
61
62### Response and remediation
63
64- Immediately terminate the Python process if the loaded library is confirmed or suspected to be malicious.
65- Quarantine the suspicious library file for forensic analysis and malware reverse engineering.
66- Scan the system for additional indicators of compromise associated with the identified threat actor campaign.
67- Review the Python script or application that loaded the library and assess whether it has been modified or replaced.
68- Check for persistence mechanisms that may reload the malicious library on system restart or user login.
69- Search for similar library loading patterns across other systems in the environment to identify potential lateral movement.
70- Reset any credentials or tokens that may have been exposed through the compromised Python process.
71- Escalate to the incident response team if APT-level compromise is suspected.
72"""
73query = '''
74library where host.os.type == "macos" and event.action == "load" and
75  dll.path like "/Users/*" and
76  process.name like "python*" and
77  not dll.name like ("*.so", "*.dylib", "Python", "*.*_extension", "*.dylib.*") and
78  not dll.path like ("*/site-packages/*/Qt*/lib/Qt*.framework/Versions/*/Qt*",
79                     "/Users/*/.pyenv/versions/*/lib/python*/site-packages/*")
80'''
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84
85  [rule.threat.tactic]
86  name = "Execution"
87  id = "TA0002"
88  reference = "https://attack.mitre.org/tactics/TA0002/"
89
90  [[rule.threat.technique]]
91  name = "Command and Scripting Interpreter"
92  id = "T1059"
93  reference = "https://attack.mitre.org/techniques/T1059/"
94
95    [[rule.threat.technique.subtechnique]]
96    name = "Python"
97    id = "T1059.006"
98    reference = "https://attack.mitre.org/techniques/T1059/006/"