{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pth/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Python"],"_cs_severities":["medium"],"_cs_tags":["persistence","python","linux","pth","file_creation"],"_cs_type":"advisory","_cs_vendors":["Python"],"content_html":"\u003cp\u003eAttackers can exploit Python's .pth file mechanism to achieve persistence on Linux systems. These files, placed in standard Python library directories, automatically execute arbitrary Python code when the interpreter starts. This technique allows for stealthy and persistent execution, bypassing traditional startup scripts or scheduled tasks. The Elastic detection rule identifies unauthorized creation of .pth files, excluding legitimate package managers and known benign processes. Volexity reported on CVE-2024-3400 which exploited this persistence technique in April 2024. This is relevant for defenders as it highlights a method for attackers to maintain access and execute malicious code within compromised environments, even after system reboots or updates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Linux system through an exploit (e.g., CVE-2024-3400) or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may escalate privileges to gain write access to system-wide Python package directories like \u003ccode\u003e/usr/lib/python*/site-packages/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMalicious .pth Creation: The attacker creates a .pth file (e.g., \u003ccode\u003eevil.pth\u003c/code\u003e) within a Python package directory.\u003c/li\u003e\n\u003cli\u003ePayload Injection: The .pth file contains a path to a malicious Python script or directly includes Python code to execute. This code may download and execute a secondary payload, establish a reverse shell, or perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eInterpreter Startup: When Python interpreter starts, it automatically executes the code specified in the .pth file.\u003c/li\u003e\n\u003cli\u003ePersistent Execution: The malicious code executes every time Python interpreter is invoked, ensuring the attacker maintains persistent access to the system.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker may obfuscate the code within the .pth file or the linked script to evade detection.\u003c/li\u003e\n\u003cli\u003eGoal: The attacker maintains persistent access to the compromised system for lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised Linux systems. The impact ranges from data theft and system disruption to complete system compromise. While no specific victim count is available, this technique can affect any organization relying on Python applications. The stealthy nature of .pth file-based persistence makes it difficult to detect, potentially leading to prolonged periods of undetected malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious .pth file creation events in Python package directories.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect file creation events necessary for the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and customize the exclusion list in the Sigma rule to account for legitimate package managers and automation processes within your environment.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for unusual Python interpreter activity following .pth file creation events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the .pth file creation and the code it executes.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on Python package directories to detect unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-python-pth-persistence/","summary":"Attackers can establish persistence on Linux systems by creating malicious .pth files in Python package directories, causing arbitrary code execution on interpreter startup.","title":"Python .pth File Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-07-python-pth-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed - Pth","version":"https://jsonfeed.org/version/1.1"}