Date: 03/19/2025
Severity: Medium
Summary
Detects the creation of a Python path configuration file (.pth) in library directories, which can be exploited for code execution and persistence. These files reference modules that execute automatically at every Python startup (v3.5+), even if not explicitly imported. Default locations include \lib\site-packages\*.pth on Windows and /lib/pythonX.Y/site-packages/*.pth on Unix and macOS.
Indicators of Compromise (IOC) List
TargetFilename : | '(?i)\\(venv|python(.+)?)\\lib\\site-packages\\' '.pth' '\pywin32.pth' '\distutils-precedence.pth' |
Image : | '\python.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | resourcename = "Windows Security" AND eventtype = "4663" and processname like "python.exe" and objectname like "(?i)\\(venv|python(.+)?)\\lib\\site-packages" and objectname like ".pth" and (objectname like "pywin32.pth" or objectname like "distutils-precedence.pth") |
Detection Query : | technologygroup = "EDR" and processname like "python.exe" and objectname like "(?i)\\(venv|python(.+)?)\\lib\\site-packages" and objectname like ".pth" and (objectname like "pywin32.pth" or objectname like "distutils-precedence.pth") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml