Elastic Security Detection Rules

Python Path File (pth) Creation

Last updated a month ago on 2025-12-03
Created 10 months ago on 2025-02-26

About

This rule detects the creation of .pth files in system-wide and user-specific Python package directories, which can be abused for persistent code execution. .pth files automatically execute Python code when the interpreter starts, making them a stealthy persistence mechanism. Monitoring these paths helps identify unauthorized modifications that could indicate persistence by an attacker or malicious package injection.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: ExecutionTactic: Defense EvasionData Source: Elastic DefendLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Event Triggered Execution (T1546)(external, opens in a new tab or window)

Hijack Execution Flow (T1574)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.file*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
file where host.os.type == "linux" and event.action in ("creation", "rename") and file.extension == "pth" and
file.path like~ (
  "/usr/local/lib/python*/dist-packages/*", 
  "/usr/lib/python*/dist-packages/*",
  "/usr/local/lib/python*/site-packages/*",
  "/usr/lib/python*/site-packages/*",
  "/home/*/.local/lib/python*/site-packages/*",
  "/opt/*/lib/python*/site-packages/*"
) and process.executable != null and not (
  process.executable in (
    "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3",
    "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry",
    "/usr/bin/poetry", "/usr/bin/pamac-daemon", "/opt/venv/bin/pip", "/usr/bin/dnf", "./venv/bin/pip",
    "/usr/bin/dnf5", "/bin/dnf5", "/bin/pip", "/bin/podman"
  ) or
  process.executable like~ (
    "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*",
    "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd"
  )
)

Install detection rules in Elastic Security

Detect Python Path File (pth) Creation in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).