[New Hunt] New Hunting Queries for DPRK ByBit (#4644)

* new hunting queries for macOS DPRK * added docker hunting queries
2025-04-23 16:41:23 -04:00
parent ea31143b83
commit bbfc026c95
27 changed files with 1038 additions and 1 deletions
@@ -94,7 +94,18 @@ Here are the queries currently available:

 ## macos
 - [Low Occurrence of Suspicious Launch Agent or Launch Daemon](./macos/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL)
+- [Potential Python Stealer Activity](./macos/docs/credential_access_potential_python_stealer.md) (ES|QL)
+- [Python Library Load and Delete](./macos/docs/defense_evasion_python_library_load_and_delete.md) (ES|QL)
+- [Python Script Drop and Execute](./macos/docs/execution_python_script_drop_and_execute.md) (ES|QL)
+- [Self-Deleted Python Script Accessing Sensitive Files](./macos/docs/defense_evasion_self_deleted_python_script_accessing_sensitive_files.md) (ES|QL)
+- [Self-Deleting Python Script](./macos/docs/defense_evasion_self_deleting_python_script.md) (ES|QL)
+- [Sensitive File Access via Docker](./macos/docs/execution_suspicious_file_access_via_docker.md) (ES|QL)
+- [Suspicious Executable File Modification via Docker](./macos/docs/execution_suspicious_executable_file_modification_via_docker.md) (ES|QL)
 - [Suspicious Network Connections by Unsigned Mach-O](./macos/docs/suspicious_network_connections_by_unsigned_macho.md) (ES|QL)
+- [Suspicious Python App Execution via Streamlit](./macos/docs/execution_suspicious_python_app_execution_via_streamlit.md) (ES|QL)
+- [Unsigned or Untrusted Binary Execution via Python](./macos/docs/execution_unsigned_or_untrusted_binary_execution_via_python.md) (ES|QL)
+- [Unsigned or Untrusted Binary Forked by Python](./macos/docs/execution_unsigned_or_untrusted_binary_fork_via_python.md) (ES|QL)
+- [Unusual Library Load via Python](./macos/docs/execution_unusual_library_load_via_python.md) (ES|QL)


 ## okta
@@ -34,6 +34,71 @@ macos:
    - T1543
    - T1543.001
    - T1543.004
+  7ab00c3d-0ed3-4e4b-9806-b19959bf6b12:
+    name: Self-Deleted Python Script Accessing Sensitive Files
+    path: ./macos/queries/defense_evasion_self_deleted_python_script_accessing_sensitive_files.toml
+    mitre:
+    - T1059.006
+    - T1070.004
+    - T1552.001
+  9aaf1113-cf7a-4fd7-b796-f6456fdaffb5:
+    name: Unsigned or Untrusted Binary Execution via Python
+    path: ./macos/queries/execution_unsigned_or_untrusted_binary_execution_via_python.toml
+    mitre:
+    - T1059.006
+    - T1105
+  76a1f901-4495-4cbd-a35a-7ff8d116602b:
+    name: Python Library Load and Delete
+    path: ./macos/queries/defense_evasion_python_library_load_and_delete.toml
+    mitre:
+    - T1059.006
+    - T1070.004
+  04d4b300-bf2f-4e86-8fab-c51502a1db32:
+    name: Suspicious Python App Execution via Streamlit
+    path: ./macos/queries/execution_suspicious_python_app_execution_via_streamlit.toml
+    mitre:
+    - T1059.006
+    - T1105
+  76f10746-9527-4c99-8ed8-491085ecdcfd:
+    name: Python Script Drop and Execute
+    path: ./macos/queries/execution_python_script_drop_and_execute.toml
+    mitre:
+    - T1059.006
+    - T1105
+  02e50f28-d5a1-4289-ab49-48ae0e2ca196:
+    name: Unsigned or Untrusted Binary Forked by Python
+    path: ./macos/queries/execution_unsigned_or_untrusted_binary_fork_via_python.toml
+    mitre:
+    - T1059.006
+  107fe9a2-6743-4136-a055-fa070fd38f2f:
+    name: Potential Python Stealer Activity
+    path: ./macos/queries/credential_access_potential_python_stealer.toml
+    mitre:
+    - T1059.006
+    - T1552.001
+  6461f45e-b03f-4756-94d2-34a210caeb78:
+    name: Self-Deleting Python Script
+    path: ./macos/queries/defense_evasion_self_deleting_python_script.toml
+    mitre:
+    - T1059.006
+    - T1070.004
+  d9b30b84-dc53-413c-a7e4-f42078b10048:
+    name: Unusual Library Load via Python
+    path: ./macos/queries/execution_unusual_library_load_via_python.toml
+    mitre:
+    - T1059.006
+  f5b1afc4-207c-11f0-aa05-f661ea17fbcd:
+    name: Suspicious Executable File Modification via Docker
+    path: ./macos/queries/execution_suspicious_executable_file_modification_via_docker.toml
+    mitre:
+    - T1105
+    - T1204.002
+  fb136106-207c-11f0-aa05-f661ea17fbcd:
+    name: Sensitive File Access via Docker
+    path: ./macos/queries/execution_suspicious_file_access_via_docker.toml
+    mitre:
+    - T1083
+    - T1552.001
 linux:
  ecd84bc7-32ae-474b-93a8-d1d9736c3464:
    name: Network Connections with Low Occurrence Frequency for Unique Agent ID
@@ -0,0 +1,51 @@
+# Unsigned or Untrusted Binary Execution via Python
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects the execution of unsigned or untrusted binaries where the parent process is a Python interpreter. Adversaries often use Python as a launcher to run untrusted payloads, typically dropped to locations like `/tmp`, `/Users/Shared`, or public directories. This behavior is indicative of custom loaders, malware staging, or post-exploitation actions.
+
+- **UUID:** `9aaf1113-cf7a-4fd7-b796-f6456fdaffb5`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Unsigned or Untrusted Binary Execution via Python](../queries/command_and_control_suspicious_executable_file_creation_via_python.toml)
+
+## Query
+
+```sql
+process where event.type == "start" and event.action == "exec" and
+  (process.code_signature.trusted == false or process.code_signature.exists == false) and
+  process.parent.name like~ "python*" and
+  (
+    process.executable like "/Users/Shared/*" or
+    process.executable like "/tmp/*" or
+    process.executable like "/private/tmp/*" or
+    process.executable like "/Users/*/Public/*" or
+    process.name like ".*"
+  )
+```
+
+## Notes
+
+- Execution of untrusted binaries from Python in shared or temporary directories is rare in normal operations.
+- This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access.
+- You may wish to enrich with file.hash or process.args to gain more triage context.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1105](https://attack.mitre.org/techniques/T1105)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,48 @@
+# Potential Python Stealer Activity
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects the execution of a Python script followed by at least three consecutive open actions on files within a 30-second window. This behavior may indicate an attempt to access or exfiltrate sensitive data such as browser files, credentials, or configuration files.
+
+- **UUID:** `107fe9a2-6743-4136-a055-fa070fd38f2f`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Potential Python Stealer Activity](../queries/credential_access_potential_python_stealer.toml)
+
+## Query
+
+```sql
+sequence by process.entity_id with maxspan=30s
+  [process where event.type == "start" and event.action == "exec" and
+    process.name like~ "python*" and process.args_count == 2 and
+    process.args like ("/Users/*", "/tmp/*", "/private/tmp/*")]
+  [file where event.action == "open"]
+  [file where event.action == "open"]
+  [file where event.action == "open"]
+```
+
+## Notes
+
+- This hunt identifies Python-based access to multiple files shortly after script execution, a pattern common to stealers.
+- Adjustments may be needed to focus on high-value file paths (e.g., browser data, tokens, configuration files).
+- Further pivoting on `file.path`, `process.entity_id`, and `process.args` is recommended for triage.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1552.001](https://attack.mitre.org/techniques/T1552/001)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,44 @@
+# Python Library Load and Delete
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects when a Python process loads a library from a user's home directory and then deletes that library within a short time window. This may indicate an attempt to execute malicious code in memory and remove evidence from disk as a form of defense evasion.
+
+- **UUID:** `76a1f901-4495-4cbd-a35a-7ff8d116602b`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Python Library Load and Delete](../queries/defense_evasion_python_library_load_and_delete.toml)
+
+## Query
+
+```sql
+sequence by process.entity_id with maxspan=15s
+  [library where event.action == "load" and dll.path like "/Users/*" and process.name like~ "python"]
+  [file where event.action == "deletion" and startswith~(file.path, dll.path)]
+```
+
+## Notes
+
+- This hunting rule helps identify potential in-memory execution or anti-forensic behavior by Python-based malware.
+- Library load followed by quick deletion is suspicious, especially in user directories.
+- Consider pivoting on `process.entity_id` to examine surrounding process activity and file writes.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1070.004](https://attack.mitre.org/techniques/T1070/004)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,45 @@
+# Self-Deleted Python Script Accessing Sensitive Files
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects access to potentially sensitive files by a Python script that deletes itself from disk. This behavior is characteristic of sophisticated malware that executes from memory and avoids leaving behind forensic artifacts. Notably used in high-profile DPRK-linked financial heists.
+
+- **UUID:** `7ab00c3d-0ed3-4e4b-9806-b19959bf6b12`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Self-Deleted Python Script Accessing Sensitive Files](../queries/defense_evasion_self_deleted_python_script_accessing_sensitive_files.toml)
+
+## Query
+
+```sql
+sequence by process.entity_id with maxspan=15s
+  [file where event.action == "deletion" and file.extension in ("py", "pyc") and process.name like~ "python*"]
+  [file where event.action == "open"]
+```
+
+## Notes
+
+- This hunt detects Python-based scripts that self-delete and continue to access sensitive files (e.g., AWS credentials, SSH keys, keychains).
+- File paths in this logic can be enriched or customized to detect access to specific secrets in your environment.
+- Ideal for detecting evasive memory-resident malware and credential theft operations.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1070.004](https://attack.mitre.org/techniques/T1070/004)
+- [T1552.001](https://attack.mitre.org/techniques/T1552/001)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,48 @@
+# Self-Deleting Python Script
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects when a Python script is executed and then deletes itself within a short time window. This behavior is often observed in malware used by DPRK threat actors to remove traces post-execution and avoid detection.
+
+- **UUID:** `6461f45e-b03f-4756-94d2-34a210caeb78`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Self-Deleting Python Script](../queries/defense_evasion_self_deleting_python_script.toml)
+
+## Query
+
+```sql
+sequence by process.entity_id with maxspan=10s
+  [process where event.type == "start" and event.action == "exec" and
+    process.name like~ "python*" and process.args_count == 2 and
+    process.args like ("/Users/Shared/*.py", "/tmp/*.py", "/private/tmp/*.py", "/Users/*/Public/*.py")]
+  [file where event.action == "deletion" and
+    file.extension in ("py", "pyc") and
+    file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Users/*/Public/*")]
+```
+
+## Notes
+
+- Self-deletion of Python scripts is commonly used to evade detection and forensic recovery.
+- This hunt is effective at uncovering ephemeral post-exploitation scripts or loaders.
+- You may pivot on `file.path`, `process.args`, and `process.executable` to understand intent and targets.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1070.004](https://attack.mitre.org/techniques/T1070/004)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,46 @@
+# Python Script Drop and Execute
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects when a Python script is written to disk within a user's home directory and then immediately executed by the same process lineage. This pattern is commonly observed in initial access payload delivery or script-based malware staging.
+
+- **UUID:** `76f10746-9527-4c99-8ed8-491085ecdcfd`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Python Script Drop and Execute](../queries/execution_python_script_drop_and_execute.toml)
+
+## Query
+
+```sql
+sequence with maxspan=15s
+  [file where event.action == "modification" and process.name like~ "python*" and
+   file.extension == "py" and file.path like "/Users/*"] by process.entity_id
+  [process where event.type == "start" and event.action == "exec" and
+   process.args_count == 2 and process.args like "/Users/*"] by process.parent.entity_id
+```
+
+## Notes
+
+- This hunt is designed to catch malicious tooling written and executed rapidly by Python processes.
+- This technique is often used by downloaders or droppers that write staging scripts and immediately run them.
+- Consider pivoting on `process.entity_id` and `file.path` to view subsequent behavior.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1105](https://attack.mitre.org/techniques/T1105)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,45 @@
+# Suspicious Executable File Modification via Docker
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects when Docker or Docker Desktop processes modify executable files within user-accessible or temporary directories. These locations are commonly used by attackers to stage payloads or drop binaries during post-exploitation activity.
+
+- **UUID:** `f5b1afc4-207c-11f0-aa05-f661ea17fbcd`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Suspicious Executable File Modification via Docker](../queries/execution_suspicious_executable_file_modification_via_docker.toml)
+
+## Query
+
+```sql
+file where event.action == "modification" and
+  (process.name in ("docker", "Docker Desktop") or process.name like "com.docker*") and
+  file.Ext.header_bytes like~ ("cffaedfe*", "cafebabe*") and
+  file.path like ("/tmp/*", "/private/tmp/*", "/Users/Shared/*", "/Users/*/Public/*", "/Users/*/Downloads/*", "/Users/*/Desktop/*", "/Users/*/Documents/*")
+```
+
+## Notes
+
+- Executable file writes from Docker processes in user or temp directories are suspicious in most environments.
+- This behavior may indicate container escape attempts, tool staging, or post-exploitation binary drops.
+- The header byte patterns 'cffaedfe' (Mach-O) and 'cafebabe' (Java class files) help identify actual executables being written.
+
+## MITRE ATT&CK Techniques
+
+- [T1105](https://attack.mitre.org/techniques/T1105)
+- [T1204.002](https://attack.mitre.org/techniques/T1204/002)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,44 @@
+# Sensitive File Access via Docker
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects Docker or Docker Desktop processes accessing potentially sensitive host files, including SSH keys, cloud provider credentials, browser data, or crypto wallet files. This behavior may indicate container escape attempts, data harvesting from the host, or misconfigured volume mounts exposing secrets.
+
+- **UUID:** `fb136106-207c-11f0-aa05-f661ea17fbcd`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Sensitive File Access via Docker](../queries/execution_suspicious_file_access_via_docker.toml)
+
+## Query
+
+```sql
+file where event.action == "open" and
+  (process.name in ("docker", "Docker Desktop") or process.name like "com.docker*") and
+  not file.name in ("System.keychain", "login.keychain-db")
+```
+
+## Notes
+
+- Docker processes accessing sensitive host files may suggest attempts to harvest credentials from the host system.
+- You may enrich this detection by adding file paths for `.aws/credentials`, `.ssh/id_rsa`, `keychain`, or `Cookies`.
+- Consider filtering legitimate developer use cases or adjusting for specific containers if needed.
+
+## MITRE ATT&CK Techniques
+
+- [T1083](https://attack.mitre.org/techniques/T1083)
+- [T1552.001](https://attack.mitre.org/techniques/T1552/001)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,54 @@
+# Suspicious Python App Execution via Streamlit
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects execution of a Python application using Streamlit followed shortly by an outbound network connection. This pattern was seen in the Safe/ByBit breach and may indicate abuse of Streamlit to stage or serve a malicious interface during initial access operations.
+
+- **UUID:** `04d4b300-bf2f-4e86-8fab-c51502a1db32`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Suspicious Python App Execution via Streamlit](../queries/execution_suspicious_python_app_execution_via_streamlit.toml)
+
+## Query
+
+```sql
+sequence by process.entity_id with maxspan=2m
+  [process where event.type == "start" and event.action == "exec" and
+    process.name like~ "python*" and
+    process.args like ("/Users/*/Downloads/*streamlit", "/Users/*/Desktop/*streamlit", "/Users/*/Documents/*streamlit") and
+    process.args == "run" and process.args : "*.py" and
+    process.args_count == 4]
+  [network where event.type == "start" and destination.domain != null and
+    not cidrmatch(destination.ip,
+      "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", "198.19.0.0/16", "192.18.0.0/15",
+      "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
+      "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24",
+      "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24",
+      "::1", "FE80::/10", "FF00::/8")]
+```
+
+## Notes
+
+- This hunt identifies Python apps run via Streamlit from user directories, immediately followed by external network activity.
+- Streamlit-based payloads may abuse the framework to present fake interfaces or interactive apps during initial access.
+- Outbound connection filtering avoids internal IPs and infrastructure — can be tuned to your network space.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1105](https://attack.mitre.org/techniques/T1105)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,51 @@
+# Unsigned or Untrusted Binary Execution via Python
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects the execution of unsigned or untrusted binaries where the parent process is a Python interpreter. Adversaries often use Python as a launcher to run untrusted payloads, typically dropped to locations like `/tmp`, `/Users/Shared`, or public directories. This behavior is indicative of custom loaders, malware staging, or post-exploitation actions.
+
+- **UUID:** `9aaf1113-cf7a-4fd7-b796-f6456fdaffb5`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Unsigned or Untrusted Binary Execution via Python](../queries/execution_unsigned_or_untrusted_binary_execution_via_python.toml)
+
+## Query
+
+```sql
+process where event.type == "start" and event.action == "exec" and
+  (process.code_signature.trusted == false or process.code_signature.exists == false) and
+  process.parent.name like~ "python*" and
+  (
+    process.executable like "/Users/Shared/*" or
+    process.executable like "/tmp/*" or
+    process.executable like "/private/tmp/*" or
+    process.executable like "/Users/*/Public/*" or
+    process.name like ".*"
+  )
+```
+
+## Notes
+
+- Execution of untrusted binaries from Python in shared or temporary directories is rare in normal operations.
+- This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access.
+- You may wish to enrich with file.hash or process.args to gain more triage context.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1105](https://attack.mitre.org/techniques/T1105)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,44 @@
+# Unsigned or Untrusted Binary Forked by Python
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies unsigned or untrusted binaries executed via a fork from Python, where the binary resides in the user's home directory. This behavior may be associated with malware execution or script-based delivery mechanisms, especially those attempting to blend in with legitimate user activity.
+
+- **UUID:** `02e50f28-d5a1-4289-ab49-48ae0e2ca196`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Unsigned or Untrusted Binary Forked by Python](../queries/execution_unsigned_or_untrusted_binary_fork_via_python.toml)
+
+## Query
+
+```sql
+process where event.type == "start" and event.action == "fork" and process.executable like "/Users/*" and
+ (process.code_signature.trusted == false or process.code_signature.exists == false) and
+ process.args_count == 2 and process.args like "/Users/*" and process.args like "/Users/*" and
+ process.parent.name like~ "python*"
+```
+
+## Notes
+
+- This hunt helps identify suspicious Python-driven execution of unsigned binaries located within the /Users directory.
+- Pivoting on `process.entity_id` can help identify the broader context around the execution — including parent commands and child activity.
+- Can be tuned further based on specific binary paths seen in your environment.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,44 @@
+# Unusual Library Load via Python
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.
+
+- **UUID:** `d9b30b84-dc53-413c-a7e4-f42078b10048`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Unusual Library Load via Python](../queries/execution_unusual_library_load_via_python.toml)
+
+## Query
+
+```sql
+library where event.action == "load" and
+  dll.path like "/Users/*" and
+  process.name like~ "python*" and
+  not dll.name : ("*.so", "*.dylib")
+```
+
+## Notes
+
+- Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.
+- This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.
+- Consider tuning to exclude known development or research environments that store legitimate libraries in home directories.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
@@ -0,0 +1,37 @@
+[hunt]
+author = "Elastic"
+name = "Unsigned or Untrusted Binary Execution via Python"
+uuid = "9aaf1113-cf7a-4fd7-b796-f6456fdaffb5"
+description = """
+Detects the execution of unsigned or untrusted binaries where the parent process is a Python interpreter. Adversaries often use Python as a launcher to run untrusted payloads, typically dropped to locations like `/tmp`, `/Users/Shared`, or public directories. This behavior is indicative of custom loaders, malware staging, or post-exploitation actions.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1105"]
+notes = [
+  "Execution of untrusted binaries from Python in shared or temporary directories is rare in normal operations.",
+  "This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access.",
+  "You may wish to enrich with file.hash or process.args to gain more triage context."
+]
+query = [
+'''
+process where event.type == "start" and event.action == "exec" and
+  (process.code_signature.trusted == false or process.code_signature.exists == false) and
+  process.parent.name like~ "python*" and
+  (
+    process.executable like "/Users/Shared/*" or
+    process.executable like "/tmp/*" or
+    process.executable like "/private/tmp/*" or
+    process.executable like "/Users/*/Public/*" or
+    process.name like ".*"
+  )
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,34 @@
+[hunt]
+author = "Elastic"
+name = "Potential Python Stealer Activity"
+uuid = "107fe9a2-6743-4136-a055-fa070fd38f2f"
+description = """
+Detects the execution of a Python script followed by at least three consecutive open actions on files within a 30-second window. This behavior may indicate an attempt to access or exfiltrate sensitive data such as browser files, credentials, or configuration files.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1552.001"]
+notes = [
+  "This hunt identifies Python-based access to multiple files shortly after script execution, a pattern common to stealers.",
+  "Adjustments may be needed to focus on high-value file paths (e.g., browser data, tokens, configuration files).",
+  "Further pivoting on `file.path`, `process.entity_id`, and `process.args` is recommended for triage."
+]
+query = [
+'''
+sequence by process.entity_id with maxspan=30s
+  [process where event.type == "start" and event.action == "exec" and
+    process.name like~ "python*" and process.args_count == 2 and
+    process.args like ("/Users/*", "/tmp/*", "/private/tmp/*")]
+  [file where event.action == "open"]
+  [file where event.action == "open"]
+  [file where event.action == "open"]
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,30 @@
+[hunt]
+author = "Elastic"
+name = "Python Library Load and Delete"
+uuid = "76a1f901-4495-4cbd-a35a-7ff8d116602b"
+description = """
+Detects when a Python process loads a library from a user's home directory and then deletes that library within a short time window. This may indicate an attempt to execute malicious code in memory and remove evidence from disk as a form of defense evasion.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1070.004"]
+notes = [
+  "This hunting rule helps identify potential in-memory execution or anti-forensic behavior by Python-based malware.",
+  "Library load followed by quick deletion is suspicious, especially in user directories.",
+  "Consider pivoting on `process.entity_id` to examine surrounding process activity and file writes."
+]
+query = [
+'''
+sequence by process.entity_id with maxspan=15s
+  [library where event.action == "load" and dll.path like "/Users/*" and process.name like~ "python"]
+  [file where event.action == "deletion" and startswith~(file.path, dll.path)]
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,30 @@
+[hunt]
+author = "Elastic"
+name = "Self-Deleted Python Script Accessing Sensitive Files"
+uuid = "7ab00c3d-0ed3-4e4b-9806-b19959bf6b12"
+description = """
+Detects access to potentially sensitive files by a Python script that deletes itself from disk. This behavior is characteristic of sophisticated malware that executes from memory and avoids leaving behind forensic artifacts. Notably used in high-profile DPRK-linked financial heists.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1070.004", "T1552.001"]
+notes = [
+  "This hunt detects Python-based scripts that self-delete and continue to access sensitive files (e.g., AWS credentials, SSH keys, keychains).",
+  "File paths in this logic can be enriched or customized to detect access to specific secrets in your environment.",
+  "Ideal for detecting evasive memory-resident malware and credential theft operations."
+]
+query = [
+'''
+sequence by process.entity_id with maxspan=15s
+  [file where event.action == "deletion" and file.extension in ("py", "pyc") and process.name like~ "python*"]
+  [file where event.action == "open"]
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,34 @@
+[hunt]
+author = "Elastic"
+name = "Self-Deleting Python Script"
+uuid = "6461f45e-b03f-4756-94d2-34a210caeb78"
+description = """
+Detects when a Python script is executed and then deletes itself within a short time window. This behavior is often observed in malware used by DPRK threat actors to remove traces post-execution and avoid detection.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1070.004"]
+notes = [
+  "Self-deletion of Python scripts is commonly used to evade detection and forensic recovery.",
+  "This hunt is effective at uncovering ephemeral post-exploitation scripts or loaders.",
+  "You may pivot on `file.path`, `process.args`, and `process.executable` to understand intent and targets."
+]
+query = [
+'''
+sequence by process.entity_id with maxspan=10s
+  [process where event.type == "start" and event.action == "exec" and
+    process.name like~ "python*" and process.args_count == 2 and
+    process.args like ("/Users/Shared/*.py", "/tmp/*.py", "/private/tmp/*.py", "/Users/*/Public/*.py")]
+  [file where event.action == "deletion" and
+    file.extension in ("py", "pyc") and
+    file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Users/*/Public/*")]
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,32 @@
+[hunt]
+author = "Elastic"
+name = "Python Script Drop and Execute"
+uuid = "76f10746-9527-4c99-8ed8-491085ecdcfd"
+description = """
+Detects when a Python script is written to disk within a user's home directory and then immediately executed by the same process lineage. This pattern is commonly observed in initial access payload delivery or script-based malware staging.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1105"]
+notes = [
+  "This hunt is designed to catch malicious tooling written and executed rapidly by Python processes.",
+  "This technique is often used by downloaders or droppers that write staging scripts and immediately run them.",
+  "Consider pivoting on `process.entity_id` and `file.path` to view subsequent behavior."
+]
+query = [
+'''
+sequence with maxspan=15s
+  [file where event.action == "modification" and process.name like~ "python*" and
+   file.extension == "py" and file.path like "/Users/*"] by process.entity_id
+  [process where event.type == "start" and event.action == "exec" and
+   process.args_count == 2 and process.args like "/Users/*"] by process.parent.entity_id
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,31 @@
+[hunt]
+author = "Elastic"
+name = "Suspicious Executable File Modification via Docker"
+uuid = "f5b1afc4-207c-11f0-aa05-f661ea17fbcd"
+description = """
+Detects when Docker or Docker Desktop processes modify executable files within user-accessible or temporary directories. These locations are commonly used by attackers to stage payloads or drop binaries during post-exploitation activity.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1105", "T1204.002"]
+notes = [
+  "Executable file writes from Docker processes in user or temp directories are suspicious in most environments.",
+  "This behavior may indicate container escape attempts, tool staging, or post-exploitation binary drops.",
+  "The header byte patterns 'cffaedfe' (Mach-O) and 'cafebabe' (Java class files) help identify actual executables being written."
+]
+query = [
+'''
+file where event.action == "modification" and
+  (process.name in ("docker", "Docker Desktop") or process.name like "com.docker*") and
+  file.Ext.header_bytes like~ ("cffaedfe*", "cafebabe*") and
+  file.path like ("/tmp/*", "/private/tmp/*", "/Users/Shared/*", "/Users/*/Public/*", "/Users/*/Downloads/*", "/Users/*/Desktop/*", "/Users/*/Documents/*")
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,30 @@
+[hunt]
+author = "Elastic"
+name = "Sensitive File Access via Docker"
+uuid = "fb136106-207c-11f0-aa05-f661ea17fbcd"
+description = """
+Detects Docker or Docker Desktop processes accessing potentially sensitive host files, including SSH keys, cloud provider credentials, browser data, or crypto wallet files. This behavior may indicate container escape attempts, data harvesting from the host, or misconfigured volume mounts exposing secrets.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1083", "T1552.001"]
+notes = [
+  "Docker processes accessing sensitive host files may suggest attempts to harvest credentials from the host system.",
+  "You may enrich this detection by adding file paths for `.aws/credentials`, `.ssh/id_rsa`, `keychain`, or `Cookies`.",
+  "Consider filtering legitimate developer use cases or adjusting for specific containers if needed."
+]
+query = [
+'''
+file where event.action == "open" and
+  (process.name in ("docker", "Docker Desktop") or process.name like "com.docker*") and
+  not file.name in ("System.keychain", "login.keychain-db")
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,40 @@
+[hunt]
+author = "Elastic"
+name = "Suspicious Python App Execution via Streamlit"
+uuid = "04d4b300-bf2f-4e86-8fab-c51502a1db32"
+description = """
+Detects execution of a Python application using Streamlit followed shortly by an outbound network connection. This pattern was seen in the Safe/ByBit breach and may indicate abuse of Streamlit to stage or serve a malicious interface during initial access operations.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1105"]
+notes = [
+  "This hunt identifies Python apps run via Streamlit from user directories, immediately followed by external network activity.",
+  "Streamlit-based payloads may abuse the framework to present fake interfaces or interactive apps during initial access.",
+  "Outbound connection filtering avoids internal IPs and infrastructure — can be tuned to your network space."
+]
+query = [
+'''
+sequence by process.entity_id with maxspan=2m
+  [process where event.type == "start" and event.action == "exec" and
+    process.name like~ "python*" and
+    process.args like ("/Users/*/Downloads/*streamlit", "/Users/*/Desktop/*streamlit", "/Users/*/Documents/*streamlit") and
+    process.args == "run" and process.args : "*.py" and
+    process.args_count == 4]
+  [network where event.type == "start" and destination.domain != null and
+    not cidrmatch(destination.ip,
+      "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", "198.19.0.0/16", "192.18.0.0/15",
+      "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
+      "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24",
+      "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24",
+      "::1", "FE80::/10", "FF00::/8")]
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,37 @@
+[hunt]
+author = "Elastic"
+name = "Unsigned or Untrusted Binary Execution via Python"
+uuid = "9aaf1113-cf7a-4fd7-b796-f6456fdaffb5"
+description = """
+Detects the execution of unsigned or untrusted binaries where the parent process is a Python interpreter. Adversaries often use Python as a launcher to run untrusted payloads, typically dropped to locations like `/tmp`, `/Users/Shared`, or public directories. This behavior is indicative of custom loaders, malware staging, or post-exploitation actions.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1105"]
+notes = [
+  "Execution of untrusted binaries from Python in shared or temporary directories is rare in normal operations.",
+  "This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access.",
+  "You may wish to enrich with file.hash or process.args to gain more triage context."
+]
+query = [
+'''
+process where event.type == "start" and event.action == "exec" and
+  (process.code_signature.trusted == false or process.code_signature.exists == false) and
+  process.parent.name like~ "python*" and
+  (
+    process.executable like "/Users/Shared/*" or
+    process.executable like "/tmp/*" or
+    process.executable like "/private/tmp/*" or
+    process.executable like "/Users/*/Public/*" or
+    process.name like ".*"
+  )
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,31 @@
+[hunt]
+author = "Elastic"
+name = "Unsigned or Untrusted Binary Forked by Python"
+uuid = "02e50f28-d5a1-4289-ab49-48ae0e2ca196"
+description = """
+This hunt identifies unsigned or untrusted binaries executed via a fork from Python, where the binary resides in the user's home directory. This behavior may be associated with malware execution or script-based delivery mechanisms, especially those attempting to blend in with legitimate user activity.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006"]
+notes = [
+  "This hunt helps identify suspicious Python-driven execution of unsigned binaries located within the /Users directory.",
+  "Pivoting on `process.entity_id` can help identify the broader context around the execution — including parent commands and child activity.",
+  "Can be tuned further based on specific binary paths seen in your environment."
+]
+query = [
+'''
+process where event.type == "start" and event.action == "fork" and process.executable like "/Users/*" and
+ (process.code_signature.trusted == false or process.code_signature.exists == false) and
+ process.args_count == 2 and process.args like "/Users/*" and process.args like "/Users/*" and
+ process.parent.name like~ "python*"
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
@@ -0,0 +1,31 @@
+[hunt]
+author = "Elastic"
+name = "Unusual Library Load via Python"
+uuid = "d9b30b84-dc53-413c-a7e4-f42078b10048"
+description = """
+Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.
+"""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006"]
+notes = [
+  "Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.",
+  "This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.",
+  "Consider tuning to exclude known development or research environments that store legitimate libraries in home directories."
+]
+query = [
+'''
+library where event.action == "load" and
+  dll.path like "/Users/*" and
+  process.name like~ "python*" and
+  not dll.name : ("*.so", "*.dylib")
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]