Closed netgrain closed 5 months ago
@netgrain any particular reason you didn't create a windows and macos variant of this rule?
@nasbench primarily as I've only seen exploitation of this technique on Linux-based systems, but added a Windows-variant now per new commit. Not sure if you'd want macos separately also? (macos is not in the folder-structure afaik).
Added "related: similar" as meta, but not sure if you'd want this considering product base is different?
Also: Some of the checks fails related to a known FP, which can be filtered, but not sure whether that specific event your checking for is an exception or a standard across your telemetry base
@netgrain those FP are from a default installation of python. I excluded them with an additional FP found in test machines.
I updated the regex to include paths without versions and venv folder as both can exists and are able to load .pth files.
Summary of the Pull Request
Adds hunting analytic to detect creation of Python path configuration file (.pth), which may be indicative of malicious activity such as backdoor creation and persistence.
According to specification:
Changelog
new: Python Path Configuration File Creation - Linux new: Python Path Configuration File Creation - Macos new: Python Path Configuration File Creation - Windows
Example Log Event
File content