Python Path Configuration File Creation - Windows

title: Python Path Configuration File Creation - Windows
id: e3652ba3-0ad8-4010-a957-b7ba369e7bac
related:
    - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
      type: similar
    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)\\(venv|python(.+)?)\\lib\\site-packages\\' # Covers both Virtual envs and default paths
        TargetFilename|endswith: '.pth'
    filter_main_python:
        Image|endswith: '\python.exe'
        TargetFilename|endswith:
            - '\pywin32.pth' # VS Studio Python extension
            - '\distutils-precedence.pth'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium