Techniques
Sample rules
Python Image Load By Non-Python Process
- source: sigma
- technicques:
- t1027
- t1027.002
Description
Detects the image load of “Python Core” by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
- Image|contains: Python
- Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
- C:\ProgramData\Anaconda3\
filter_optional_null_image:
Image: null
selection:
Description: Python Core