Terrance DeJesus
31 lines
1.4 KiB
TOML
31 lines
1.4 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
name = "Unusual Library Load via Python"
|
|
uuid = "d9b30b84-dc53-413c-a7e4-f42078b10048"
|
|
description = """
|
|
Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments.
|
|
"""
|
|
integration = ["endpoint"]
|
|
language = ["EQL"]
|
|
license = "Elastic License v2"
|
|
mitre = ["T1059.006"]
|
|
notes = [
|
|
"Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.",
|
|
"This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.",
|
|
"Consider tuning to exclude known development or research environments that store legitimate libraries in home directories."
|
|
]
|
|
query = [
|
|
'''
|
|
library where event.action == "load" and
|
|
dll.path like "/Users/*" and
|
|
process.name like~ "python*" and
|
|
not dll.name : ("*.so", "*.dylib")
|
|
'''
|
|
]
|
|
references = [
|
|
"https://www.elastic.co/security-labs/dprk-code-of-conduct",
|
|
"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
|
|
"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
|
|
"https://x.com/safe/status/1897663514975649938",
|
|
"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
|
|
] |