python.exe

  • File Path: C:\Program Files\Python38\python.exe
  • Description: Python

Hashes

Type Hash
MD5 14F7691FF32C19C21500E26EE3492688
SHA1 06B991EDCA892C8E17DA2B33EEF05B9F01C9EC1E
SHA256 052F8B35EEE3A2B59CA479CF5A9F2D95C08F2394F1730D0233CC79C5CEBAA3DF
SHA384 31F087D2A8471BDD723D4B247B545AD5D2FC5F66BD587671F902ED56AA34ED5937350F66014B5D1C6CE5E6535D3CFE4A
SHA512 6EBB49A357A098F343BAEA0B37B714A4E426F2740C6C4C2588BA73E5AAD66ADF9F2E4396AC40C06AB95F48395A93DEEDA2E182B5C869D02613472805E6086E30
SSDEEP 1536:y77VbKbuEYE+9z2wp+FavGmhMn+IhzZtzI/IXRfwyo1:y77VbKbuAs0FNmhMn+IhNa/IXRk
IMP A1304C4778128720E89539BB55752E4C
PESHA1 37A4E18676B4D8FBE85B28E76C4E54C8A4E2F9DE
PE256 A267789F4500982E0FD585812635BBD4162511337E35B59EAE272BBBACF94420

Runtime Data

Usage (stdout):

usage: C:\Program Files\Python38\python.exe [option] ... [-c cmd | -m mod | file | -] [arg] ...
Options and arguments (and corresponding environment variables):
-b     : issue warnings about str(bytes_instance), str(bytearray_instance)
         and comparing bytes/bytearray with str. (-bb: issue errors)
-B     : don't write .pyc files on import; also PYTHONDONTWRITEBYTECODE=x
-c cmd : program passed in as string (terminates option list)
-d     : debug output from parser; also PYTHONDEBUG=x
-E     : ignore PYTHON* environment variables (such as PYTHONPATH)
-h     : print this help message and exit (also --help)
-i     : inspect interactively after running script; forces a prompt even
         if stdin does not appear to be a terminal; also PYTHONINSPECT=x
-I     : isolate Python from the user's environment (implies -E and -s)
-m mod : run library module as a script (terminates option list)
-O     : remove assert and __debug__-dependent statements; add .opt-1 before
         .pyc extension; also PYTHONOPTIMIZE=x
-OO    : do -O changes and also discard docstrings; add .opt-2 before
         .pyc extension
-q     : don't print version and copyright messages on interactive startup
-s     : don't add user site directory to sys.path; also PYTHONNOUSERSITE
-S     : don't imply 'import site' on initialization
-u     : force the stdout and stderr streams to be unbuffered;
         this option has no effect on stdin; also PYTHONUNBUFFERED=x
-v     : verbose (trace import statements); also PYTHONVERBOSE=x
         can be supplied multiple times to increase verbosity
-V     : print the Python version number and exit (also --version)
         when given twice, print more information about the build
-W arg : warning control; arg is action:message:category:module:lineno
         also PYTHONWARNINGS=arg
-x     : skip first line of source, allowing use of non-Unix forms of #!cmd
-X opt : set implementation-specific option. The following options are available:

         -X faulthandler: enable faulthandler
         -X showrefcount: output the total reference count and number of used
             memory blocks when the program finishes or after each statement in the
             interactive interpreter. This only works on debug builds
         -X tracemalloc: start tracing Python memory allocations using the
             tracemalloc module. By default, only the most recent frame is stored in a
             traceback of a trace. Use -X tracemalloc=NFRAME to start tracing with a
             traceback limit of NFRAME frames
         -X showalloccount: output the total count of allocated objects for each
             type when the program finishes. This only works when Python was built with
             COUNT_ALLOCS defined
         -X importtime: show how long each import takes. It shows module name,
             cumulative time (including nested imports) and self time (excluding
             nested imports). Note that its output may be broken in multi-threaded
             application. Typical usage is python3 -X importtime -c 'import asyncio'
         -X dev: enable CPythons development mode, introducing additional runtime
             checks which are too expensive to be enabled by default. Effect of the
             developer mode:
                * Add default warning filter, as -W default
                * Install debug hooks on memory allocators: see the PyMem_SetupDebugHooks() C function
                * Enable the faulthandler module to dump the Python traceback on a crash
                * Enable asyncio debug mode
                * Set the dev_mode attribute of sys.flags to True
                * io.IOBase destructor logs close() exceptions
         -X utf8: enable UTF-8 mode for operating system interfaces, overriding the default
             locale-aware mode. -X utf8=0 explicitly disables UTF-8 mode (even when it would
             otherwise activate automatically)
         -X pycache_prefix=PATH: enable writing .pyc files to a parallel tree rooted at the
             given directory instead of to the code tree

--check-hash-based-pycs always|default|never:
    control how Python invalidates hash-based .pyc files
file   : program read from script file
-      : program read from stdin (default; interactive mode if a tty)
arg ...: arguments passed to program in sys.argv[1:]

Other environment variables:
PYTHONSTARTUP: file executed on interactive startup (no default)
PYTHONPATH   : ';'-separated list of directories prefixed to the
               default module search path.  The result is sys.path.
PYTHONHOME   : alternate <prefix> directory (or <prefix>;<exec_prefix>).
               The default module search path uses <prefix>\python{major}{minor}.
PYTHONCASEOK : ignore case in 'import' statements (Windows).
PYTHONUTF8: if set to 1, enable the UTF-8 mode.
PYTHONIOENCODING: Encoding[:errors] used for stdin/stdout/stderr.
PYTHONFAULTHANDLER: dump the Python traceback on fatal errors.
PYTHONHASHSEED: if this variable is set to 'random', a random value is used
   to seed the hashes of str and bytes objects.  It can also be set to an
   integer in the range [0,4294967295] to get hash values with a
   predictable seed.
PYTHONMALLOC: set the Python memory allocators and/or install debug hooks
   on Python memory allocators. Use PYTHONMALLOC=debug to install debug
   hooks.
PYTHONCOERCECLOCALE: if this variable is set to 0, it disables the locale
   coercion behavior. Use PYTHONCOERCECLOCALE=warn to request display of
   locale coercion and locale compatibility warnings on stderr.
PYTHONBREAKPOINT: if this variable is set to 0, it disables the default
   debugger. It can be set to the callable of your debugger of choice.
PYTHONDEVMODE: enable the development mode.
PYTHONPYCACHEPREFIX: root directory for bytecode cache (pyc) files.

Usage (stderr):

C:\Program Files\Python38\python.exe: can't open file 'C:\temp\strontic-xcyclopedia\notepad.exe': [Errno 13] Permission denied

Loaded Modules:

Path
C:\Program Files\Python38\python.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 033ED5EDA065D1B8C91DFCF92A6C9BD8
  • Thumbprint: C91DCECB3A92A17B063059200B20F5CE251B5A95
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Python Software Foundation, O=Python Software Foundation, L=Wolfeboro, S=New Hampshire, C=US

File Metadata

  • Original Filename: python.exe
  • Product Name: Python
  • Company Name: Python Software Foundation
  • File Version: 3.8.5
  • Product Version: 3.8.5
  • Language: Language Neutral
  • Legal Copyright: Copyright 2001-2016 Python Software Foundation. Copyright 2000 BeOpen.com. Copyright 1995-2001 CNRI. Copyright 1991-1995 SMC.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/052f8b35eee3a2b59ca479cf5a9f2d95c08f2394f1730d0233cc79c5cebaa3df/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Python310-32\Lib\venv\scripts\nt\python.exe 41
C:\Program Files (x86)\Python310-32\python.exe 77
C:\program files (x86)\Python38-32\python.exe 82
C:\Program Files\Blender Foundation\Blender 2.83\2.83\python\bin\python.exe 72
C:\program files\Blender Foundation\Blender 2.83\2.83\python\bin\python.exe 72
C:\Program Files\Blender Foundation\Blender 2.90\2.90\python\bin\python.exe 75
C:\Program Files\Inkscape\bin\python.exe 80
C:\program files\Inkscape\bin\python.exe 72
C:\program files\LibreOffice\program\python-core-3.7.7\bin\python.exe 74
C:\Program Files\Python310\Lib\venv\scripts\nt\python.exe 44
C:\Program Files\Python310\python.exe 79

Possible Misuse

The following table contains possible examples of python.exe being misused. While python.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sigma-test.yml # This workflow will install Python dependencies, run tests and lint with a single version of Python DRL 1.0
sigma sigma-test.yml # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions DRL 1.0
sigma sigma-test.yml - name: Set up Python 3.8 DRL 1.0
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma sigma-test.yml python-version: 3.8 DRL 1.0
sigma sigma-test.yml python -m pip install --upgrade pip DRL 1.0
sigma app_python_sql_exceptions.yml title: Python SQL Exceptions DRL 1.0
sigma app_python_sql_exceptions.yml description: Generic rule for SQL exceptions in Python according to PEP 249 DRL 1.0
sigma app_python_sql_exceptions.yml - https://www.python.org/dev/peps/pep-0249/#exceptions DRL 1.0
sigma app_python_sql_exceptions.yml product: python DRL 1.0
sigma lnx_shell_susp_commands.yml - 'python -m SimpleHTTPServer' DRL 1.0
sigma lnx_shell_susp_commands.yml - '-m http.server' # Python 3 DRL 1.0
sigma proc_creation_macos_screencapture.yml - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'python-requests/2.19.1' DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'python-requests/2.25.1' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\python.exe' DRL 1.0
sigma image_load_susp_python_image_load.yml title: Python Py2Exe Image Load DRL 1.0
sigma image_load_susp_python_image_load.yml description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. DRL 1.0
sigma image_load_susp_python_image_load.yml Description: 'Python Core' DRL 1.0
sigma image_load_susp_python_image_load.yml - 'Python' # FPs with python38.dll, python.exe etc. DRL 1.0
sigma net_connection_win_python.yml title: Python Initiated Connection DRL 1.0
sigma net_connection_win_python.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python DRL 1.0
sigma net_connection_win_python.yml Image\|contains: python DRL 1.0
sigma net_connection_win_python.yml - Legitimate python script DRL 1.0
sigma proc_access_win_pypykatz_cred_dump_lsass_access.yml - 'python3*.dll+' # Pypy requires python>=3.6 DRL 1.0
sigma proc_creation_win_pypykatz.yml - \python.exe DRL 1.0
sigma proc_creation_win_susp_adidnsdump.yml This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, DRL 1.0
sigma proc_creation_win_susp_adidnsdump.yml Image\|endswith: \python.exe DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed. DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml - 'python --help' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Details\|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python' DRL 1.0
sigma arcsight.yml python: DRL 1.0
sigma arcsight.yml product: python DRL 1.0
sigma arcsight.yml deviceProduct: Python DRL 1.0
sigma sumologic-cse.yml application-python: DRL 1.0
sigma sumologic-cse.yml product: python DRL 1.0
sigma sumologic.yml application-python: DRL 1.0
sigma sumologic.yml product: python DRL 1.0
LOLBAS Testxlst.yml Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).  
malware-ioc evilnum Python/Agent.JM © ESET 2014-2018
malware-ioc evilnum Python/TrojanProxy.Agent.B © ESET 2014-2018
malware-ioc evilnum Python/Spy.KeyLogger.HF © ESET 2014-2018
malware-ioc evilnum Python/RiskWare.LaZagne.D © ESET 2014-2018
malware-ioc evilnum Python/Pyvil.A © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.A", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.B", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.C", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.D", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.E", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.F", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.G", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python.27.exe", © ESET 2014-2018
malware-ioc machete \|048C40EB606DA3DEF08C9F6997C1948AFBBC959B\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|2E8D8508096CAA38493414F6BA788D0041EA9E15\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|85BDD7D871108C737701AC30C14A2D343CBDEF94\|Python/Machete.D © ESET 2014-2018
malware-ioc machete \|8ED8CB784512F7DADD147347FC94E945FAF16338\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|AB8DD6B0CC950618589603012863B57F7ADB9D9B\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|318496B58CF5052EFD49A95C721D9165278E9FCE\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|3BB345032B6D0226D6771BA65FE4DA0FAF628631\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|946A24DFBD0AE94209EF7C284D3F462548566A3C\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|984B9202A6DBD7D3DD696CAE1220338A68092DC9\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|EABD45D0A86113F5CCFF9FD292C1E482A5727815\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|F05BC018C90B560DC4932758956ADFFBC10588CE\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|204A2850548E5994D4696E9002F90DFCCBE2093A\|Python/Machete.C © ESET 2014-2018
malware-ioc machete \|3792588EDC809270E6666A4677EC85A3400BA4CF\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|4899A2C2CECEB92D2CC4ED17D092D1D599379284\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|A42756280AA352F4612BED85AABF7F3267E676C2\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|A97CF05AD7F3102BDE45E4B4947ED435EFEA1968\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|C4ACCF6071F51ADE102190C6FA350435FC202654\|Python.27.exe © ESET 2014-2018
malware-ioc machete \|D5238CDE036EEFCC6D8D686B3A00247F27DA894C\|Python.27.exe © ESET 2014-2018
malware-ioc machete \|2B7404F6B0075BC1192D61D4AF135D521D5F08A3\|RdrCEF.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|53102E57B40FEACB64566C26D101D9242DECE77C\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|56E8743E0773286A4B9E055147D96D53A43BECA1\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|71F69F04307C8F5675DCADEAA80B8C2B95691B01\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|904137B61F1DED66C8CA76EBF198DEC1B638B5D4\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|FBB485B40477F5A014E7096747B1B4A494CE50EF\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|1B3723651E1D321D4F34F2A243D7751D17288257\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|7FFB9C7DA20C536B694E78538B65726EACB1B055\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|B1ADF4B46350FB801CE54DA9C93A4EF79674F3F5\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|314D9B4C25DD69453D86E4C7062DCE6DEDDA0533\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|D4CF22F3DB78BDC1CEB55431857D88166CE677D4\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|26FB301AF7393B5E564B8C802F5795EDEBD7CECF\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|979859B5A177650EF0549C81FD66D36E9DEA8078\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|A07E38DF9887EA7811369CD72C57FD6D44523CD6\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|07E383E9FF04F587769845306DC4BFE75630BAAA\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|56765B7511372A8E9BE017F48A764D141F485474\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|CF2DC40926D8747AEC572DFD711BBFD766AADB10\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|6B42091CA2F89A59F4E27E30ACDACF32EB83F824\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|708F159F2CFE22FF0C4464F2FEDAA0501868BDD8\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|DE639618B550DBE9071E999AAA5B4FC81F63A5A6\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|0B6F61AF3E2C6551F15E0F888177EEC91F20BA99\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|76AABC0AF5D487A80BCBA19555191B46766139FA\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|7FF87649CA1D9178A02CD9942856D1B590652C6E\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|8AF19AA3F18CB35F12EE3966931E11799C3AC5A4\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|E1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD\|Python/Machete.G © ESET 2014-2018
malware-ioc vf_ioc_linux_rakos.py # 2) Run: python vol.py -f dump_from_compromise_linux_system.vmem © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor", © ESET 2014-2018
malware-ioc telebots - Python/TeleBot.AA trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.Q trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.AE trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.AD trojan © ESET 2014-2018
malware-ioc telebots === Python/TeleBot.AA backdoor © ESET 2014-2018
atomic-red-team index.md - Atomic Test #2: Dump individual process memory with Python (Local) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Port Scan using python [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - T1059.006 Python MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Execute shell script via python’s command mode arguement [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Execute Python via scripts (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Execute Python via Python executables (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Dump individual process memory with Python (Local) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1059.006 Python MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Execute shell script via python’s command mode arguement [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Execute Python via scripts (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Execute Python via Python executables (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - T1059.006 Python CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Port Scan using python [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1059.006 Python CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | Spearphishing via Service CONTRIBUTE A TEST | Python | Create or Modify System Process CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Deploy Container CONTRIBUTE A TEST | Man-in-the-Middle CONTRIBUTE A TEST | Local Groups | | Data from Network Shared Drive CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Keychain | Network Sniffing | | Data from Network Shared Drive CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | Python | Compromise Client Software Binary CONTRIBUTE A TEST | DLL Side-Loading | Create Snapshot CONTRIBUTE A TEST | Kerberoasting | Process Discovery | | Local Data Staging | | Multi-hop Proxy | Stored Data Manipulation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Browser Extensions | COR_PROFILER | Compile After Delivery | Forced Authentication | Network Sniffing | Shared Webroot CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Encrypted Channel | Firmware Corruption CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Parses secrets hidden in the LSASS process with python. Similar to mimikatz’s sekurlsa:: MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Python 3 must be installed, use the get_prereq_command’s to meet the prerequisites for this test. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md - Atomic Test #2 - Dump individual process memory with Python (Local) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md ## Atomic Test #2 - Dump individual process memory with Python (Local) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md Using /proc/$PID/mem, where $PID is the target process ID, use a Python script to MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md PYTHON=$(which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md $PYTHON #{python_script} $PID #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md (which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md echo “Python 2.7+ or 3.4+ must be installed” MIT License. © 2018 Red Canary
atomic-red-team T1018.md Python 3 and adidnsdump must be installed, use the get_prereq_command’s to meet the prerequisites for this test. MIT License. © 2018 Red Canary
atomic-red-team T1018.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1018.md if (python –version) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1018.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1036.006.md 1. echo ‘#!/bin/bash\necho “print "hello, world!"” | /usr/bin/python\nexit’ > execute.txt && chmod +x execute.txt MIT License. © 2018 Red Canary
atomic-red-team T1046.md - Atomic Test #4 - Port Scan using python MIT License. © 2018 Red Canary
atomic-red-team T1046.md ## Atomic Test #4 - Port Scan using python MIT License. © 2018 Red Canary
atomic-red-team T1046.md Scan ports to check for listening ports with python MIT License. © 2018 Red Canary
atomic-red-team T1046.md python #{filename} -i #{host_ip} MIT License. © 2018 Red Canary
atomic-red-team T1046.md ##### Description: Check if python exists on the machine MIT License. © 2018 Red Canary
atomic-red-team T1046.md if (python –version) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1046.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md 2. Using Python to establish a one-line HTTP server on victim system: MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md python -m SimpleHTTPServer 1337 MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they’re already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of “t3VhVOs/DyCcDTFzIKanRxkvk3I=”, unless ‘Little Snitch’ is installed, in which case it will just exit. MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md osascript -e “do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(‘ignore’);exec(base64.b64decode(‘aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==’));\" | python &"” MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md # T1059.006 - Python MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md <blockquote>Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #1 - Execute shell script via python’s command mode arguement MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #2 - Execute Python via scripts (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #3 - Execute Python via Python executables (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #1 - Execute shell script via python’s command mode arguement MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Download and execute shell script and write to file then execute locally using Python -c (command mode) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md which_python=$(which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ##### Description: Verify if python is in the environment variable path and attempt to import requests library. MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md which_python=$(which python || which python3 || which python2); $which_python -V MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #2 - Execute Python via scripts (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Create Python file (.py) that downloads and executes shell script via executor arguments MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_script_name | Python script name | Path | T1059.006.py| MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #3 - Execute Python via Python executables (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_script_name | Name of Python script name | Path | T1059.006.py| MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_binary_name | Name of Python file to be compiled | Path | T1059.006.pyc| MIT License. © 2018 Red Canary
atomic-red-team T1140.md - Atomic Test #3 - Base64 decoding with Python MIT License. © 2018 Red Canary
atomic-red-team T1140.md ## Atomic Test #3 - Base64 decoding with Python MIT License. © 2018 Red Canary
atomic-red-team T1140.md Use Python to decode a base64-encoded text string and echo it to the console MIT License. © 2018 Red Canary
atomic-red-team T1140.md ##### Description: Python must be present MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo “Please install Python 3” MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md <blockquote>An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #1 - Compressing data using GZip in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #2 - Compressing data using bz2 in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #3 - Compressing data using zipfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #4 - Compressing data using tarfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #1 - Compressing data using GZip in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses GZip from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md which_python=which python; $which_python -V MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #2 - Compressing data using bz2 in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses bz2 from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #3 - Compressing data using zipfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses zipfile from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #4 - Compressing data using tarfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses tarfile from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1574.006.md On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process’s memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage Dynamic Linker Hijacking to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ. MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar description = “A tool for injecting arbitrary code into running Python processes.” CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s3 = “A reverse Python connection payload.” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s4 = “pyrasite - inject code into a running python process” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s10 = “Write out a reverse python connection payload with a custom port” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s13 = “A reverse Python shell that behaves like Python interactive interpreter.” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar description = “creddump is a python tool to extract credentials and secrets from Windows registry hives.” CC BY-NC 4.0
signature-base apt_backdoor_ssh_python.yar description = “Custome SSH backdoor based on python and paramiko - file server.py” CC BY-NC 4.0
signature-base apt_fvey_shadowbroker_jan17.yar $b1 = “Added Ops library to Python search path” fullword ascii CC BY-NC 4.0
signature-base apt_hafnium_log_sigs.yar $xr4 = /POST \/ecp\/[^\n]{100,600} (ExchangeServicesClient\/0.0.0.0|python-requests\/2.19.1|python-requests\/2.25.1)[^\n]{200,600} (200|301|302) / CC BY-NC 4.0
signature-base apt_nk_inkysquid.yar description = “Python Loader used to execute the BLUELIGHT malware family.” CC BY-NC 4.0
signature-base apt_nk_inkysquid.yar $s5 = “python ended” ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Strings from Python version of Agent” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Piece of Base64 encoded data from Agent Python version” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Strings from Python keylogger” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Python getos utility” CC BY-NC 4.0
signature-base apt_sandworm_exim_expl.yar description = “Detects Sandworm Python loader” CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar description = “Detects FireEye’s Python Redflar” CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar description = “Detects FireEye’s Python MATRYOSHKA tool” CC BY-NC 4.0
signature-base gen_malware_MacOS_plist_suspicious.yar $p1 = “python” ascii CC BY-NC 4.0
signature-base gen_osx_evilosx.yar //strings present in decoded python script: CC BY-NC 4.0
signature-base gen_osx_pyagent_persistence.yar description = “Detects a Python agent that establishes persistence on macOS” CC BY-NC 4.0
signature-base gen_osx_pyagent_persistence.yar $h1 = “#!/usr/bin/env python” CC BY-NC 4.0
signature-base gen_python_encoded_adware.yar description = “Encoded Python payload for adware” CC BY-NC 4.0
signature-base gen_python_pty_shell.yar reference = “https://github.com/infodox/python-pty-shells/blob/master/tcp_pty_backconnect.py” CC BY-NC 4.0
signature-base gen_python_pyminifier_encoded_payload.yar description = “Detects python code encoded by pyminifier. Used by the Machete malware as researched by ESET” CC BY-NC 4.0
signature-base gen_python_reverse_shell.yara description = “Python Base64 encoded reverse shell” CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar description = “Detects Python RAT” CC BY-NC 4.0
signature-base gen_redsails.yar description = “Detects Red Sails Hacktool - Python” CC BY-NC 4.0
signature-base gen_susp_wer_files.yar $l3 = “AppPath=C:\Python” wide nocase CC BY-NC 4.0
signature-base gen_webshells.yar $pbs30 = “bot|spider|crawler|slurp|teoma|archive|track|snoopy|java|lwp|wget|curl|client|python|libwww” wide ascii CC BY-NC 4.0
signature-base thor-hacktools.yar description = “Detects malicious python shell” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “#Use: python wh_bindshell.py [port] [password]” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “python -c"import md5;x=md5.new(‘you_password’);print x.hexdigest()"” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “# d00r.py 0.3a (reverse|bind)-shell in python by fQ” fullword CC BY-NC 4.0
signature-base thor-webshells.yar description = “Semi-Auto-generated - file cgi-python.py.txt” CC BY-NC 4.0
stockpile 0ab383be-b819-41bf-91b9-1bd4404d83bf.yml description: A Python agent which communicates via the HTML contact Apache-2.0
stockpile 0ab383be-b819-41bf-91b9-1bd4404d83bf.yml python ragdoll.py -W $server#{app.contact.html} Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml name: Check Python Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml description: Check to see what version of python is installed Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml python3 --version;python2 --version;python --version Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml python3 --version&python2 --version&python --version Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.