EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Python Path Configuration File Creation - Linux

Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).

MITRE ATT&CK

T1059.006
execution

Detection Query

selection:
  TargetFilename|re: (?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/
  TargetFilename|endswith: .pth
condition: selection

Author

Andreas Braathen (mnemonic.io)

Created

2024-04-25

Data Sources

linuxFile Events

Platforms

linux

References

Tags

attack.executionattack.t1059.006detection.threat-hunting
Raw Content
title: Python Path Configuration File Creation - Linux
id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce
related:
    - id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows
      type: similar
    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS
        TargetFilename|endswith: '.pth'
    condition: selection
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium