Skip to content

[Rule Tuning] ROT Encoded Python Script Execution - alerts about Python itself #5259

New issue
New issue
Open
Open
[Rule Tuning] ROT Encoded Python Script Execution - alerts about Python itself#5259
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@richlv

Description

@richlv
richlv
opened on Oct 28, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Rule "ROT Encoded Python Script Execution" alerts about the Python installation itself.

Alert seems to have little useful info - python.exe executable being signed does not seem to tell much about the encoded script.

Process heritage:

Command line "python-3.13.9-amd64.exe" /quiet InstallAllUsers=1 /log C:\ProgramData\PatchMyPCInstallLogs\python-3.13.9-amd64.exe.log
Image file path c:\windows\imecache\1c106c84-5bc8-49bd-8126-07ea6d9a3641_1\python-3.13.9-amd64.exe
Image file SHA1 457423115c4598c90550fbf8736bdace03213524
Image file SHA256 200ddff856bbff949d2cc1be42e8807c07538abd6b6966d5113a094cf628c5c5
Execution details Token elevation: Standard, Integrity level: System
Signer Python Software Foundation
Issuer Microsoft ID Verified CS AOC CA 01

Command line "python-3.13.9-amd64.exe" -burn.clean.room="C:\WINDOWS\IMECache\1c106c84-5bc8-49bd-8126-07ea6d9a3641_1\python-3.13.9-amd64.exe" -burn.filehandle.attached=808 -burn.filehandle.self=812 /quiet InstallAllUsers=1 /log C:\ProgramData\PatchMyPCInstallLogs\python-3.13.9-amd64.exe.log
Image file path C:\Windows\Temp\{F3AB8821-5E64-4BB3-851A-F766B13E0BDE}\.cr\python-3.13.9-amd64.exe
Image file SHA1 199d965432371877db358a89ff35ba35ecb528ed
Image file SHA256 43c7b970d2c1954165d0d91bd9de6ed892f6c37b7b4e53a340d68e5525525a4c
Execution details Token elevation: Standard, Integrity level: System
Signer Python Software Foundation
Issuer Microsoft ID Verified CS AOC CA 01

Command line "python-3.13.9-amd64.exe" -q -burn.elevated BurnPipe.{42CBB6C4-469B-4F98-9884-C445382AF9C7} {1C7B0FFF-F890-44AA-92C6-08741942B332} 8944
Image file path c:\windows\temp\{e10db5b9-296c-43f2-9abd-5ed7c8fce9ef}\.be\python-3.13.9-amd64.exe
Image file SHA1 199d965432371877db358a89ff35ba35ecb528ed
Image file SHA256 43c7b970d2c1954165d0d91bd9de6ed892f6c37b7b4e53a340d68e5525525a4c
Execution details Token elevation: Standard, Integrity level: System
Signer Python Software Foundation
Issuer Microsoft ID Verified CS AOC CA 01

Command line "py.exe" -3.13 -OO -E -s -Wi "C:\Program Files\Python313\\Lib\compileall.py" -f -x "bad_coding|badsyntax|site-packages|py2_|venv\\scripts" "C:\Program Files\Python313\\Lib"
Image file path C:\ProgramData\Package Cache\C6098AB297AE3B85025D5A6D352D9ABB29743AD3\py.exe
Image file SHA1 c6098ab297ae3b85025d5a6d352d9abb29743ad3
Image file SHA256 d3915ec08f77eaf9f641d627d893460423dd6b0e417b7bc11adfa8daec94b054
Execution details Token elevation: Standard, Integrity level: System
Signer Python Software Foundation
Issuer Microsoft ID Verified CS AOC CA 01

Example Data

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions