diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index 8492cf01914..24520fbaffa 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,6 +56,7 @@ Python Path Files (.pth) are used to automatically execute code when the Python references = [ "https://dfir.ch/posts/publish_python_pth_extension/", "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/", + "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/" ] risk_score = 21 rule_id = "7f65f984-5642-4291-a0a0-2bbefce4c617" @@ -108,19 +109,16 @@ file.path like ( "/opt/*/lib/python*/site-packages/*" ) and process.executable != null and not ( process.executable in ( - "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3", - "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry", - "/usr/bin/poetry", "/usr/bin/pamac-daemon", "/opt/venv/bin/pip", "/usr/bin/dnf", "./venv/bin/pip", - "/usr/bin/dnf5", "/bin/dnf5", "/bin/pip", "/bin/podman", "./usr/bin/podman", "/kaniko/executor", "/dev/fd/3", - "/opt/SolarWinds/Agent/bin/Plugins/Discovery/SolarWinds.Agent.Discovery.Plugin", "/usr/bin/crio", + "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/bin/podman", "/usr/bin/pamac-daemon", + "/usr/bin/dnf", "/usr/bin/dnf5", "/bin/dnf5", "/bin/podman", "./usr/bin/podman", "/kaniko/executor", + "/dev/fd/3", "/opt/SolarWinds/Agent/bin/Plugins/Discovery/SolarWinds.Agent.Discovery.Plugin", "/usr/bin/crio", "/opt/splunk/bin/splunkd", "/opt/Tanium/TaniumClient/TaniumCX" ) or process.executable like ( - "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*", "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd" ) or ( - process.name like ("python*", "platform-python*", "conda", "virtualenv", "cp", "pip*", "uv") and + process.name like ("platform-python*", "cp", "uv") and file.name in ("distutils-precedence.pth", "_virtualenv.pth") ) ) diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index d0ae0b7eb1f..90139b40463 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,16 +104,11 @@ file.path like ( "/home/*/.config/python/usercustomize.py" ) and not ( process.executable in ( - "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3", - "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry", - "/usr/bin/poetry", "/usr/bin/pamac-daemon", "./venv/bin/pip", "./usr/bin/podman", - "/opt/miniforge3/bin/mamba", "/usr/sbin/dockerd", "/opt/conda/_conda", "/kaniko/executor", - "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/lib/systemd/systemd-executor" + "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/bin/podman", "/usr/bin/pamac-daemon", + "./usr/bin/podman", "/opt/miniforge3/bin/mamba", "/usr/sbin/dockerd", "/opt/conda/_conda", "/kaniko/executor", + "/usr/bin/crio", "/usr/lib/systemd/systemd-executor" ) or - process.executable like~ ( - "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*", - "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd" - ) + process.executable like~ ("/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd") ) '''