title: Python Py2Exe Image Load
id: cbb56d62-4060-40f7-9466-d8aaf3123f83
description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
status: experimental
date: 2020/05/03
modified: 2021/12/05
author: Patrick St. John, OTR (Open Threat Research)
tags:
  - attack.defense_evasion
  - attack.t1027.002
references:
  - https://www.py2exe.org/
  - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
logsource:
  product: windows
  category: image_load
detection:
  selection:
    Description: 'Python Core'
  filter:
    - Image|contains: 
      - 'Python'  # FPs with python38.dll, python.exe etc.
    - Image|startswith:
      - 'C:\Program Files\'
      - 'C:\Program Files (x86)\'
  condition: selection and not filter
fields:
  - Description
falsepositives:
  - Legit Py2Exe Binaries
level: medium