Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Python Path Configuration File Creation - Windows

Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)Created Thu Apr 25e3652ba3-0ad8-4010-a957-b7ba369e7bacwindows
Hunting Hypothesis
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetFilename|re: '(?i)\\(venv|python(.+)?)\\lib\\site-packages\\' # Covers both Virtual envs and default paths
        TargetFilename|endswith: '.pth'
    filter_main_python:
        Image|endswith: '\python.exe'
        TargetFilename|endswith:
            - '\pywin32.pth' # VS Studio Python extension
            - '\distutils-precedence.pth'
    condition: selection and not 1 of filter_main_*
False Positives

Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.

References
1
Resolving title…
volexity.com
2
Resolving title…
virustotal.com
3
Resolving title…
docs.python.org
MITRE ATT&CK

Sub-techniques

T1059.006 · Python

Other

detection.threat-hunting
Related Rules
SimilarThreat Huntmedium

Python Path Configuration File Creation - Linux

Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

Python Path Configuration File Creation - MacOS

Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
e3652ba3-0ad8-4010-a957-b7ba369e7bac
Status
test
Level
medium
Type
Threat Hunt
Created
Thu Apr 25
Author
Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
Path
rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml
Raw Tags
attack.executionattack.t1059.006detection.threat-hunting
View on GitHub