legitimate software using python dlls

t1574
t1574.002
windows
sigma

Techniques

t1574
t1574.002

Sample rules

Potential Python DLL SideLoading

source: sigma
technicques:
- t1574
- t1574.002

Description

Detects potential DLL sideloading of Python DLL files.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_default_install_paths:
- ImageLoaded|startswith:
  - C:\Program Files\Python3
  - C:\Program Files (x86)\Python3
- ImageLoaded|contains: \AppData\Local\Programs\Python\Python3
filter_main_legit_signature_details:
  Company: Python Software Foundation
  Description: Python
  Product: Python
  Signed: 'true'
filter_optional_cpython:
  ImageLoaded|contains:
  - \cpython\externals\
  - \cpython\PCbuild\
filter_optional_visual_studio:
  ImageLoaded|startswith: C:\Program Files\Microsoft Visual Studio\
selection:
  ImageLoaded|endswith:
  - \python39.dll
  - \python310.dll
  - \python311.dll
  - \python312.dll