Date: 08/09/2024
Severity: Medium
Summary
Detects the loading of "Python Core" by a non-Python process, which could indicate the presence of a Python script packaged with Py2Exe.
Indicators of Compromise (IOC) List
Description | 'Python Core' |
Image | 'Python' 'C:\Program Files\' 'C:\Program Files (x86)\' 'C:\ProgramData\Anaconda3\' null |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourceName = "Sysmon" AND eventtype = "7" ) AND description = "Python Core" ) AND imageloaded not in ("C:\Program Files" , "C:\Program Files (x86)" , "C:\ProgramData\Anaconda3" , "Python" , "null") |
Detection Query 2 | ((technologygroup = "EDR" ) AND description = "Python Core" ) AND imageloaded not in ("C:\Program Files" , "C:\Program Files (x86)" , "C:\ProgramData\Anaconda3" , "Python" , "null") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_susp_python_image_load.yml
https://www.py2exe.org/
https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/