Detection rules › Sigma
Python Image Load By Non-Python Process
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1027.002 Obfuscated Files or Information: Software Packing |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: selection
Description: 'Python Core'
Stage 2: not 1 of filter_main_generic
or:
Image|contains: Python
Image|startswith: 'C:\Program Files (x86)\'
Image|startswith: 'C:\Program Files\'
Image|startswith: 'C:\ProgramData\Anaconda3\'
Stage 3: not 1 of filter_optional_null_image
Image: null
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Description | eq |
|
Image | match |
|
Image | starts_with |
|