Techniques
Sample rules
Python Image Load By Non-Python Process
- source: sigma
- technicques:
- t1027
- t1027.002
Description
Detects the image load of “Python Core” by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
- Image|contains: Python
- Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
- C:\ProgramData\Anaconda3\
filter_optional_aurora:
Image: null
selection:
Description: Python Core