From 0e523c01d9fe6139af8be56c8b80e2cc2b7313f6 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <ruben.it-services@proton.me>
Date: Tue, 24 Mar 2026 16:24:45 +0100
Subject: [PATCH 1/4] [Rule Tuning] Python Path File (pth) Creation

---
 rules/linux/persistence_pth_file_creation.toml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml
index 8492cf01914..5b51b914850 100644
--- a/rules/linux/persistence_pth_file_creation.toml
+++ b/rules/linux/persistence_pth_file_creation.toml
@@ -108,19 +108,16 @@ file.path like (
   "/opt/*/lib/python*/site-packages/*"
 ) and process.executable != null and not (
   process.executable in (
-    "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3",
-    "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry",
-    "/usr/bin/poetry", "/usr/bin/pamac-daemon", "/opt/venv/bin/pip", "/usr/bin/dnf", "./venv/bin/pip",
-    "/usr/bin/dnf5", "/bin/dnf5", "/bin/pip", "/bin/podman", "./usr/bin/podman", "/kaniko/executor", "/dev/fd/3",
-    "/opt/SolarWinds/Agent/bin/Plugins/Discovery/SolarWinds.Agent.Discovery.Plugin", "/usr/bin/crio",
+    "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd",  "/usr/bin/podman", "/usr/bin/pamac-daemon",
+    "/usr/bin/dnf", "/usr/bin/dnf5", "/bin/dnf5", "/bin/podman", "./usr/bin/podman", "/kaniko/executor",
+    "/dev/fd/3", "/opt/SolarWinds/Agent/bin/Plugins/Discovery/SolarWinds.Agent.Discovery.Plugin", "/usr/bin/crio",
     "/opt/splunk/bin/splunkd", "/opt/Tanium/TaniumClient/TaniumCX"
   ) or
   process.executable like (
-    "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*",
     "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd"
   ) or
   (
-    process.name like ("python*", "platform-python*", "conda", "virtualenv", "cp", "pip*", "uv") and
+    process.name like ("platform-python*", "cp", "uv") and
     file.name in ("distutils-precedence.pth", "_virtualenv.pth")
   )
 )

From 686cdad0f1d40b2ed486f3c7cf7a2fd41c7aa1d0 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <ruben.it-services@proton.me>
Date: Tue, 24 Mar 2026 16:25:00 +0100
Subject: [PATCH 2/4] ++

---
 rules/linux/persistence_pth_file_creation.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml
index 5b51b914850..c104d4f5ea0 100644
--- a/rules/linux/persistence_pth_file_creation.toml
+++ b/rules/linux/persistence_pth_file_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/12/22"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]

From ca4c7227c2fb1fa44248138c153991f703167de0 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <ruben.it-services@proton.me>
Date: Tue, 24 Mar 2026 16:25:28 +0100
Subject: [PATCH 3/4] ++

---
 rules/linux/persistence_pth_file_creation.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml
index c104d4f5ea0..24520fbaffa 100644
--- a/rules/linux/persistence_pth_file_creation.toml
+++ b/rules/linux/persistence_pth_file_creation.toml
@@ -56,6 +56,7 @@ Python Path Files (.pth) are used to automatically execute code when the Python
 references = [
     "https://dfir.ch/posts/publish_python_pth_extension/",
     "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/",
+    "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/"
 ]
 risk_score = 21
 rule_id = "7f65f984-5642-4291-a0a0-2bbefce4c617"

From aa6b36eb3a9a4511d15fff5cd6b541b55a3fc759 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <ruben.it-services@proton.me>
Date: Tue, 24 Mar 2026 16:27:19 +0100
Subject: [PATCH 4/4] ++

---
 ...nce_site_and_user_customize_file_creation.toml | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml
index d0ae0b7eb1f..90139b40463 100644
--- a/rules/linux/persistence_site_and_user_customize_file_creation.toml
+++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/12/22"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -104,16 +104,11 @@ file.path like (
   "/home/*/.config/python/usercustomize.py"
 ) and not (
   process.executable in (
-    "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3",
-    "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry",
-    "/usr/bin/poetry", "/usr/bin/pamac-daemon", "./venv/bin/pip", "./usr/bin/podman",
-    "/opt/miniforge3/bin/mamba", "/usr/sbin/dockerd", "/opt/conda/_conda", "/kaniko/executor",
-    "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/lib/systemd/systemd-executor"
+    "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/bin/podman", "/usr/bin/pamac-daemon",
+    "./usr/bin/podman", "/opt/miniforge3/bin/mamba", "/usr/sbin/dockerd", "/opt/conda/_conda", "/kaniko/executor",
+    "/usr/bin/crio", "/usr/lib/systemd/systemd-executor"
   ) or
-  process.executable like~ (
-    "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*",
-    "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd"
-  )
+  process.executable like~ ("/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd")
 )
 '''