Execute Python Scripts via Python Installer Binary
Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.
Sigma rule (View on GitHub)
1title: Execute Python Scripts via Python Installer Binary
2description: Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.
3status: experimental
4date: 2023/10/26
5author: '@kostastsale'
6references:
7 - https://twitter.com/xorJosh/status/1717504124764233944
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 Image|endswith:
14 - '\pythonw.exe'
15 ParentImage|endswith:
16 - '\setup.exe'
17 CommandLine|contains|all:
18 - '\AppData\'
19 selection2:
20 CommandLine|endswith:
21 - '.py'
22 condition: selection1 and selection2
23falsepositives:
24 - Unlikely
25level: high
26tags:
27 - attack.Defense.Evasion
28 - attack.T1202