Python Image Load By Non-Python Process

Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.

Sigma rule (View on GitHub)

 1title: Python Image Load By Non-Python Process
 2id: cbb56d62-4060-40f7-9466-d8aaf3123f83
 3status: test
 4description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
 5references:
 6    - https://www.py2exe.org/
 7    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
 8author: Patrick St. John, OTR (Open Threat Research)
 9date: 2020-05-03
10modified: 2023-09-18
11tags:
12    - attack.defense-evasion
13    - attack.t1027.002
14logsource:
15    product: windows
16    category: image_load
17detection:
18    selection:
19        Description: 'Python Core'
20    filter_main_generic:
21        - Image|contains: 'Python'  # FPs with python38.dll, python.exe etc.
22        - Image|startswith:
23              - 'C:\Program Files\'
24              - 'C:\Program Files (x86)\'
25              - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
26    filter_optional_aurora:
27        Image: null
28    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
29falsepositives:
30    - Legitimate Py2Exe Binaries
31    - Known false positive caused with Python Anaconda
32level: medium

References

Related rules

to-top