LoFP LoFP / legitimate py2exe binaries

Techniques

Sample rules

Python Image Load By Non-Python Process

Description

Detects the image load of “Python Core” by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
- Image|contains: Python
- Image|startswith:
  - C:\Program Files\
  - C:\Program Files (x86)\
  - C:\ProgramData\Anaconda3\
filter_optional_null_image:
  Image: null
selection:
  Description: Python Core