Forget compiling payloads and operating on disk — this post demonstrates the use of Python’s portable interpreter for in-memory malware deployment, even when the language isn’t installed on the host.

Why Python?

Python is a well known language with an infinite number of legitimate uses inside an organization. Through the use of Python’s portable, or embedded package we can download a single .zip file and gain access to the python.exe interpreter without any installation required by the user.

Additionally, python.exe is a signed binary with a high reputation score, making it unlikely to be blocked. This provides a perfect vehicle for execution of a C2 beacon, or other payload, while on offensive security engagements.

Proof of Concept

The following video demonstrates PowerShell being used to download and extract a portable Python interpreter. Once on disk, a download cradle is used to retrieve the payload and execute a meterpreter shell in memory — bypassing the latest version of Windows Defender and other endpoint security solutions:

Payload source, PowerShell commands, and Python download cradle are available at github.com/m8sec/OffsecDev

Additional Resources

For more information on this technique, and potential areas of detection, checkout Diago Capriotti’s Pyramid project or his DefCon Adversary Village talk: Python vs Modern Defenses !

. . .
Twitter .  YouTube .  Linkedin .  GitHub .  Sponsor
Affiliate Links: