Python Image Load By Non-Python Process

calendar Oct 1, 2025 · attack.defense-evasion attack.t1027.002  ·
Share on: linkedin copy

Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.

Sigma rule (View on GitHub)

 1title: Python Image Load By Non-Python Process
 2id: cbb56d62-4060-40f7-9466-d8aaf3123f83
 3status: test
 4description: |
 5    Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.
 6    Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.
 7    Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.    
 8references:
 9    - https://www.py2exe.org/
10    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
11author: Patrick St. John, OTR (Open Threat Research)
12date: 2020-05-03
13modified: 2025-08-18
14tags:
15    - attack.defense-evasion
16    - attack.t1027.002
17logsource:
18    product: windows
19    category: image_load
20detection:
21    selection:
22        Description: 'Python Core'
23    filter_main_generic:
24        - Image|contains: 'Python'  # FPs with python38.dll, python.exe etc.
25        - Image|startswith:
26              - 'C:\Program Files\'
27              - 'C:\Program Files (x86)\'
28              - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
29    filter_optional_null_image:
30        Image: null
31    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
32falsepositives:
33    - Legitimate Py2Exe Binaries
34    - Known false positive caused with Python Anaconda
35    - Various legitimate software is bundled from Python code into executables
36level: low

References

  • FrontPage - py2exe.org

    py2exe py2exe is a Python Distutils extension which converts Python scripts into executable Windows programs, able to run without requiring a Python installation. Development is hosted on GitHub. Y...


    Read More

  • Unit 42 Technical Analysis: Seaduke

    Unit 42 provides technical analysis of Seaduke, a new trojan used by "Duke" family of malware.


    Read More

Related rules

to-top