<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Startup-Hook - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/startup-hook/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/startup-hook/feed.xml" rel="self" type="application/rss+xml"/><item><title>Python Site or User Customize File Creation for Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-01-python-startup-hook-persistence/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-python-startup-hook-persistence/</guid><description>Attackers can exploit Python's sitecustomize.py and usercustomize.py files for persistence by injecting malicious code, allowing them to execute arbitrary commands upon Python startup.</description><content:encoded><![CDATA[<p>This brief covers the exploitation of Python startup hooks for persistence on Linux systems. Attackers can modify or create <code>sitecustomize.py</code> and <code>usercustomize.py</code> files, which Python automatically executes on startup, allowing for arbitrary code execution. This technique is valuable for adversaries seeking to maintain covert access and execute commands without relying on traditional persistence mechanisms. The Elastic detection rule focuses on identifying unauthorized creation or modification of these files in system-wide, user-specific, and virtual environment locations, while excluding known benign processes like package managers and system update tools. Detecting these malicious modifications is crucial for defenders to identify and prevent unauthorized persistence mechanisms.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to a Linux system through vulnerabilities, compromised credentials, or other methods.</li>
<li>The attacker identifies locations where Python's <code>sitecustomize.py</code> or <code>usercustomize.py</code> files are loaded. These locations include system-wide directories (<code>/usr/lib/python*/sitecustomize.py</code>) and user-specific configurations (<code>/home/*/.config/python/usercustomize.py</code>).</li>
<li>The attacker creates or modifies the target <code>sitecustomize.py</code> or <code>usercustomize.py</code> file with malicious Python code. The injected code could download and execute a payload, establish a reverse shell, or perform other malicious activities.</li>
<li>The attacker ensures the modified files are in the correct locations with the appropriate permissions.</li>
<li>When a user or system process executes Python, the malicious code within <code>sitecustomize.py</code> or <code>usercustomize.py</code> is automatically executed.</li>
<li>The injected code establishes a persistent connection to a command-and-control (C2) server, allowing the attacker to remotely control the compromised system.</li>
<li>The attacker uses the established connection to perform further reconnaissance, lateral movement, or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to establish persistent access to compromised systems. By hijacking Python startup, attackers can execute arbitrary code each time Python is run, potentially leading to data theft, system compromise, or further propagation of malware. While the source does not specify a precise number of victims, the widespread use of Python makes this technique applicable across various sectors, including software development, data science, and system administration. If successful, attackers can maintain a long-term presence on the affected systems, posing a significant threat to data confidentiality and system integrity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Linux Python Startup Hook File Creation&quot; to your SIEM and tune for your environment to detect malicious file creation events in Python's site-package directories.</li>
<li>Monitor process creation events for Python interpreters executing with modified <code>sitecustomize.py</code> or <code>usercustomize.py</code> files (process_creation log source).</li>
<li>Regularly audit the contents of <code>sitecustomize.py</code> and <code>usercustomize.py</code> files on critical systems to identify unauthorized modifications.</li>
<li>Enable Elastic Defend to collect file creation events and process metadata as required by the provided detection rules.</li>
<li>Update the exclusion list in the provided Sigma rule to include any legitimate processes in your environment that modify <code>sitecustomize.py</code> or <code>usercustomize.py</code>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>python</category><category>startup-hook</category><category>linux</category></item></channel></rss>