Execute Python Scripts via Python Installer Binary

calendar Oct 26, 2023 · attack.Defense.Evasion attack.T1202  ·
Share on: linkedin copy

Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.

Sigma rule (View on GitHub)

 1title: Execute Python Scripts via Python Installer Binary
 2description: Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.
 3status: experimental
 4date: 2023/10/26
 5author: '@kostastsale'
 6references:
 7    - https://twitter.com/xorJosh/status/1717504124764233944
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        Image|endswith:
14            - '\pythonw.exe'
15        ParentImage|endswith:
16            - '\setup.exe'
17        CommandLine|contains|all:
18            - '\AppData\'
19    selection2:
20        CommandLine|endswith:
21          - '.py'
22    condition: selection1 and selection2
23falsepositives:
24    - Unlikely
25level: high
26tags:
27    - attack.Defense.Evasion
28    - attack.T1202

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More
to-top