security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
master
blue-team-tools/rules/windows/image_load/image_load_side_load_python.yml
T
Nasreddine Bencherchali 34c5d66c22 Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 
chore: update mitre tags to use attack v19
2026-04-29 01:20:23 +02:00

54 lines
2.0 KiB
YAML
Raw Permalink Blame History

title: Potential Python DLL SideLoading
id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
status: test
description: Detects potential DLL sideloading of Python DLL files.
references:
- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
author: Swachchhanda Shrawan Poudel
date: 2024-10-06
modified: 2025-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\python39.dll'
- '\python310.dll'
- '\python311.dll'
- '\python312.dll'
filter_main_default_install_paths:
- ImageLoaded|startswith:
- 'C:\Program Files\Python3'
- 'C:\Program Files (x86)\Python3'
- ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
filter_optional_visual_studio:
ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_anaconda:
ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_cpython:
ImageLoaded|contains:
- '\cpython\externals\'
- '\cpython\PCbuild\'
filter_optional_pyinstaller:
# Triggered by programs bundled with PyInstaller
ImageLoaded|startswith: 'C:\Users'
ImageLoaded|contains: '\AppData\Local\Temp\_MEI'
filter_main_legit_signature_details:
Product: 'Python'
Signed: 'true'
Description: 'Python'
Company: 'Python Software Foundation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software using Python DLLs
level: medium
Reference in New Issue View Git Blame Copy Permalink