hunting/macos/docs/execution_unusual_library_load_via_python.md

# Unusual Library Load via Python

---

## Metadata

- **Author:** Elastic
- **Description:** Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.

- **UUID:** `d9b30b84-dc53-413c-a7e4-f42078b10048`
- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
- **Language:** `[EQL]`
- **Source File:** [Unusual Library Load via Python](../queries/execution_unusual_library_load_via_python.toml)

## Query

```sql
library where event.action == "load" and
  dll.path like "/Users/*" and
  process.name like~ "python*" and
  not dll.name : ("*.so", "*.dylib")
```

## Notes

- Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.
- This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.
- Consider tuning to exclude known development or research environments that store legitimate libraries in home directories.

## MITRE ATT&CK Techniques

- [T1059.006](https://attack.mitre.org/techniques/T1059/006)

## References

- https://www.elastic.co/security-labs/dprk-code-of-conduct
- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
- https://x.com/safe/status/1897663514975649938
- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/

## License

- `Elastic License v2`
[New Hunt] New Hunting Queries for DPRK ByBit (#4644 ) 2025-04-23 16:41:23 -04:00			`# Unusual Library Load via Python`

			`---`

			`## Metadata`

			`- Author: Elastic`
			`- Description: Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.`

			- UUID: `d9b30b84-dc53-413c-a7e4-f42078b10048`
			`- Integration: [endpoint](https://docs.elastic.co/integrations/endpoint)`
			- Language: `[EQL]`
			`- Source File: [Unusual Library Load via Python](../queries/execution_unusual_library_load_via_python.toml)`

			`## Query`

			```sql
			`library where event.action == "load" and`
			`dll.path like "/Users/*" and`
			`process.name like~ "python*" and`
			`not dll.name : (".so", ".dylib")`
			```

			`## Notes`

			`- Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.`
			`- This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.`
			`- Consider tuning to exclude known development or research environments that store legitimate libraries in home directories.`

			`## MITRE ATT&CK Techniques`

			`- [T1059.006](https://attack.mitre.org/techniques/T1059/006)`

			`## References`

			`- https://www.elastic.co/security-labs/dprk-code-of-conduct`
			`- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/`
			`- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34`
			`- https://x.com/safe/status/1897663514975649938`
			`- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/`

			`## License`

			- `Elastic License v2`