Potential Python DLL SideLoading

calendar Oct 6, 2024 · attack.defense-evasion attack.t1574.002  ·
Share on: linkedin copy

Detects potential DLL sideloading of Python DLL files.

Sigma rule (View on GitHub)

 1title: Potential Python DLL SideLoading
 2id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
 3status: experimental
 4description: Detects potential DLL sideloading of Python DLL files.
 5references:
 6    - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
 7    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
 8    - https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
 9author: Swachchhanda Shrawan Poudel
10date: 2024-10-06
11tags:
12    - attack.defense-evasion
13    - attack.t1574.002
14logsource:
15    category: image_load
16    product: windows
17detection:
18    selection:
19        ImageLoaded|endswith:
20            - '\python39.dll'
21            - '\python310.dll'
22            - '\python311.dll'
23            - '\python312.dll'
24    filter_main_default_install_paths:
25        - ImageLoaded|startswith:
26              - 'C:\Program Files\Python3'
27              - 'C:\Program Files (x86)\Python3'
28        - ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
29    filter_optional_visual_studio:
30        ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
31    filter_optional_cpython:
32        ImageLoaded|contains:
33            - '\cpython\externals\'
34            - '\cpython\PCbuild\'
35    filter_main_legit_signature_details:
36        Product: 'Python'
37        Signed: 'true'
38        Description: 'Python'
39        Company: 'Python Software Foundation'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Legitimate software using Python DLLs
43level: medium

References

Related rules

to-top