Forget compiling payloads and operating on disk — this post demonstrates the use of Python’s portable interpreter for in-memory malware deployment, even when the language isn’t installed on the host.

Why Python?

Python is a well known language with an infinite number of legitimate uses inside an organization. Through the use of Python’s portable, or embedded package we can download a single .zip file and gain access to the python.exe interpreter without any installation required by the user.

Additionally, python.exe is a signed binary with a high reputation score, making it unlikely to be blocked. This provides a perfect vehicle for execution of a C2 beacon, or other payload, while on offensive security engagements.

Proof of Concept

The following video demonstrates PowerShell being used to download and extract a portable Python interpreter. Once on disk, a download cradle is used to retrieve the payload and execute a meterpreter shell in memory — bypassing the latest version of Windows Defender and other endpoint security solutions:

Payload source, PowerShell commands, and Python download cradle are available at

Additional Resources

For more information on this technique, and potential areas of detection, checkout Diago Capriotti’s Pyramid project or his DefCon Adversary Village talk: Python vs Modern Defenses !

. . .
Twitter .  YouTube .  Linkedin .  GitHub .  Sponsor
Affiliate Links: