Execute Python Scripts via Python Installer Binary
Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.
Sigma rule (View on GitHub)
1title: Execute Python Scripts via Python Installer Binary
2id: 6c6b0b7a-481d-4aca-84be-963e6cd2e302
3description: Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.
4status: experimental
5date: 2023/10/26
6author: '@kostastsale'
7references:
8 - https://twitter.com/xorJosh/status/1717504124764233944
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 Image|endswith:
15 - '\pythonw.exe'
16 ParentImage|endswith:
17 - '\setup.exe'
18 CommandLine|contains|all:
19 - '\AppData\'
20 selection2:
21 CommandLine|endswith:
22 - '.py'
23 condition: selection1 and selection2
24falsepositives:
25 - Unlikely
26level: high
27tags:
28 - attack.Defense.Evasion
29 - attack.T1202