Date: 10/07/2024
Severity: Medium
Summary
Identifies possible DLL sideloading involving Python DLL files.
Indicators of Compromise (IOC) List
ImageLoaded : | '\python39.dll' '\python310.dll' '\python311.dll' '\python312.dll' 'C:\Program Files\Python3' 'C:\Program Files (x86)\Python3' '\AppData\Local\Programs\Python\Python3' 'C:\Program Files\Microsoft Visual Studio\' '\cpython\externals\' '\cpython\PCbuild\' |
Product : | 'Python' |
Signed : | 'true' |
Description : | 'Python' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | (resourcename = "Sysmon" AND eventtype = "7" ) AND imageloaded In ("\python39.dll","\python310.dll","\python311.dll","\python312.dll") AND imageloaded not In ("C:\Program Files\Python3","C:\Program Files (x86)\Python3","\AppData\Local\Programs\Python\Python3","C:\Program Files\Microsoft Visual Studio","\cpython\externals","\cpython\PCbuild") AND product not like "Python" AND signed not like "true" AND description not like "Python" |
Detection Query 2 : | technologygroup = "EDR" AND imageloaded In ("\python39.dll","\python310.dll","\python311.dll","\python312.dll") AND imageloaded not In ("C:\Program Files\Python3","C:\Program Files (x86)\Python3","\AppData\Local\Programs\Python\Python3","C:\Program Files\Microsoft Visual Studio","\cpython\externals","\cpython\PCbuild") AND product not like "Python" AND signed not like "true" AND description not like "Python" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_python.yml