An In-memory Embedding of CPython for Offensive Use

TL;DR

This paper presents an in-memory embedding of CPython that enables loading and executing Python scripts entirely in memory, aiding security researchers and Red Teams in developing undetectable offensive tools.

Contribution

It introduces a novel in-memory CPython embedding that allows execution of Python scripts without disk access, enhancing offensive capabilities and detection evasion.

Findings

Used in production for over a year

Enables rapid malware prototyping

Difficult for security products to detect

Abstract

We offer an embedding of CPython that runs entirely in memory without "touching" the disk. This in-memory embedding can load Python scripts directly from memory instead these scripts having to be loaded from files on disk. Malware that resides only in memory is harder to detect or mitigate against. We intend for our work to be used by security researchers to rapidly develop and deploy offensive techniques that is difficult for security products to analyze given these instructions are in bytecode and only translated to machine-code by the interpreter immediately prior to execution. Our work helps security researchers and enterprise Red Teams who play offense. Red Teams want to rapidly prototype malware for their periodic campaigns and do not want their malware to be detected by the Incident Response (IR) teams prior to accomplishing objectives. Red Teams also have difficulty running malware in production from files on disk as modern enterprise security products emulate, inspect, or quarantine such executables given these files have no reputation. Our work also helps enterprise Hunt and IR teams by making them aware of the viability of this type of attack. Our approach has been in use in production for over a year and meets our customers' needs to quickly emulate threat-actors' tasks, techniques, and procedures (TTPs).