hunting/macos/queries/execution_unusual_library_load_via_python.toml

[hunt]
author = "Elastic"
name = "Unusual Library Load via Python"
uuid = "d9b30b84-dc53-413c-a7e4-f42078b10048"
description = """
Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.
"""
integration = ["endpoint"]
language = ["EQL"]
license = "Elastic License v2"
mitre = ["T1059.006"]
notes = [
  "Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.",
  "This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.",
  "Consider tuning to exclude known development or research environments that store legitimate libraries in home directories."
]
query = [
'''
library where event.action == "load" and
  dll.path like "/Users/*" and
  process.name like~ "python*" and
  not dll.name : ("*.so", "*.dylib")
'''
]
references = [
  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
  "https://x.com/safe/status/1897663514975649938",
  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
]
[New Hunt] New Hunting Queries for DPRK ByBit (#4644 ) 2025-04-23 16:41:23 -04:00			`[hunt]`
			`author = "Elastic"`
			`name = "Unusual Library Load via Python"`
			`uuid = "d9b30b84-dc53-413c-a7e4-f42078b10048"`
			`description = """`
			`Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.`
			`"""`
			`integration = ["endpoint"]`
			`language = ["EQL"]`
			`license = "Elastic License v2"`
			`mitre = ["T1059.006"]`
			`notes = [`
			`"Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.",`
			`"This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.",`
			`"Consider tuning to exclude known development or research environments that store legitimate libraries in home directories."`
			`]`
			`query = [`
			`'''`
			`library where event.action == "load" and`
			`dll.path like "/Users/*" and`
			`process.name like~ "python*" and`
			`not dll.name : (".so", ".dylib")`
			`'''`
			`]`
			`references = [`
			`"https://www.elastic.co/security-labs/dprk-code-of-conduct",`
			`"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",`
			`"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",`
			`"https://x.com/safe/status/1897663514975649938",`
			`"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"`
			`]`