title: Potential Python DLL SideLoading id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d status: test description: Detects potential DLL sideloading of Python DLL files. references: - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/ - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/ - https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python author: Swachchhanda Shrawan Poudel date: 2024-10-06 modified: 2025-08-18 tags: - attack.privilege-escalation - attack.persistence - attack.defense-evasion - attack.t1574.001 logsource: category: image_load product: windows detection: selection: ImageLoaded|endswith: - '\python39.dll' - '\python310.dll' - '\python311.dll' - '\python312.dll' filter_main_default_install_paths: - ImageLoaded|startswith: - 'C:\Program Files\Python3' - 'C:\Program Files (x86)\Python3' - ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3' filter_optional_visual_studio: ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\' filter_optional_anaconda: ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment filter_optional_cpython: ImageLoaded|contains: - '\cpython\externals\' - '\cpython\PCbuild\' filter_optional_pyinstaller: # Triggered by programs bundled with PyInstaller ImageLoaded|startswith: 'C:\Users' ImageLoaded|contains: '\AppData\Local\Temp\_MEI' filter_main_legit_signature_details: Product: 'Python' Signed: 'true' Description: 'Python' Company: 'Python Software Foundation' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate software using Python DLLs level: medium