title: Python Py2Exe Image Load
id: cbb56d62-4060-40f7-9466-d8aaf3123f83
description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
status: experimental
date: 2020/05/03
modified: 2021/05/12
author: Patrick St. John, OTR (Open Threat Research)
tags:
  - attack.defense_evasion
  - attack.t1027.002
references:
  - https://www.py2exe.org/
  - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
logsource:
  product: windows
  category: image_load
detection:
  selection:
    Description: 'Python Core'
  condition: selection
fields:
  - Description
falsepositives:
  - Legit Py2Exe Binaries
level: medium