<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pth - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/pth/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jul 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/pth/feed.xml" rel="self" type="application/rss+xml"/><item><title>Python .pth File Creation for Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-07-python-pth-persistence/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-python-pth-persistence/</guid><description>Attackers can establish persistence on Linux systems by creating malicious .pth files in Python package directories, causing arbitrary code execution on interpreter startup.</description><content:encoded><![CDATA[<p>Attackers can exploit Python's .pth file mechanism to achieve persistence on Linux systems. These files, placed in standard Python library directories, automatically execute arbitrary Python code when the interpreter starts. This technique allows for stealthy and persistent execution, bypassing traditional startup scripts or scheduled tasks. The Elastic detection rule identifies unauthorized creation of .pth files, excluding legitimate package managers and known benign processes. Volexity reported on CVE-2024-3400 which exploited this persistence technique in April 2024. This is relevant for defenders as it highlights a method for attackers to maintain access and execute malicious code within compromised environments, even after system reboots or updates.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to a Linux system through an exploit (e.g., CVE-2024-3400) or compromised credentials.</li>
<li>Privilege Escalation (Optional): The attacker may escalate privileges to gain write access to system-wide Python package directories like <code>/usr/lib/python*/site-packages/</code>.</li>
<li>Malicious .pth Creation: The attacker creates a .pth file (e.g., <code>evil.pth</code>) within a Python package directory.</li>
<li>Payload Injection: The .pth file contains a path to a malicious Python script or directly includes Python code to execute. This code may download and execute a secondary payload, establish a reverse shell, or perform other malicious actions.</li>
<li>Interpreter Startup: When Python interpreter starts, it automatically executes the code specified in the .pth file.</li>
<li>Persistent Execution: The malicious code executes every time Python interpreter is invoked, ensuring the attacker maintains persistent access to the system.</li>
<li>Defense Evasion: The attacker may obfuscate the code within the .pth file or the linked script to evade detection.</li>
<li>Goal: The attacker maintains persistent access to the compromised system for lateral movement, data exfiltration, or other malicious objectives.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to maintain persistent access to compromised Linux systems. The impact ranges from data theft and system disruption to complete system compromise. While no specific victim count is available, this technique can affect any organization relying on Python applications. The stealthy nature of .pth file-based persistence makes it difficult to detect, potentially leading to prolonged periods of undetected malicious activity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect suspicious .pth file creation events in Python package directories.</li>
<li>Enable Elastic Defend integration to collect file creation events necessary for the provided Sigma rule.</li>
<li>Review and customize the exclusion list in the Sigma rule to account for legitimate package managers and automation processes within your environment.</li>
<li>Monitor system logs for unusual Python interpreter activity following .pth file creation events.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the legitimacy of the .pth file creation and the code it executes.</li>
<li>Implement file integrity monitoring (FIM) on Python package directories to detect unauthorized modifications.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>python</category><category>linux</category><category>pth</category><category>file_creation</category></item></channel></rss>