Python Image Load By Non-Python Process
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
Sigma rule (View on GitHub)
1title: Python Image Load By Non-Python Process
2id: cbb56d62-4060-40f7-9466-d8aaf3123f83
3status: test
4description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
5references:
6 - https://www.py2exe.org/
7 - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
8author: Patrick St. John, OTR (Open Threat Research)
9date: 2020-05-03
10modified: 2023-09-18
11tags:
12 - attack.defense-evasion
13 - attack.t1027.002
14logsource:
15 product: windows
16 category: image_load
17detection:
18 selection:
19 Description: 'Python Core'
20 filter_main_generic:
21 - Image|contains: 'Python' # FPs with python38.dll, python.exe etc.
22 - Image|startswith:
23 - 'C:\Program Files\'
24 - 'C:\Program Files (x86)\'
25 - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
26 filter_optional_aurora:
27 Image: null
28 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
29falsepositives:
30 - Legitimate Py2Exe Binaries
31 - Known false positive caused with Python Anaconda
32level: medium
References
-
py2exe py2exe is a Python Distutils extension which converts Python scripts into executable Windows programs, able to run without requiring a Python installation. Development is hosted on GitHub. Y...
Read More -
Unit 42 provides technical analysis of Seaduke, a new trojan used by "Duke" family of malware.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity