[Rule Tuning] Python Path File (pth) Creation (#5880)

* [Rule Tuning] Python Path File (pth) Creation

* ++

* ++

* ++

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/linux/persistence_pth_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/12/22"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -56,6 +56,7 @@ Python Path Files (.pth) are used to automatically execute code when the Python
 references = [
     "https://dfir.ch/posts/publish_python_pth_extension/",
     "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/",
+    "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/"
 ]
 risk_score = 21
 rule_id = "7f65f984-5642-4291-a0a0-2bbefce4c617"
@@ -108,19 +109,16 @@ file.path like (
   "/opt/*/lib/python*/site-packages/*"
 ) and process.executable != null and not (
   process.executable in (
-    "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3",
-    "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry",
-    "/usr/bin/poetry", "/usr/bin/pamac-daemon", "/opt/venv/bin/pip", "/usr/bin/dnf", "./venv/bin/pip",
-    "/usr/bin/dnf5", "/bin/dnf5", "/bin/pip", "/bin/podman", "./usr/bin/podman", "/kaniko/executor", "/dev/fd/3",
-    "/opt/SolarWinds/Agent/bin/Plugins/Discovery/SolarWinds.Agent.Discovery.Plugin", "/usr/bin/crio",
+    "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd",  "/usr/bin/podman", "/usr/bin/pamac-daemon",
+    "/usr/bin/dnf", "/usr/bin/dnf5", "/bin/dnf5", "/bin/podman", "./usr/bin/podman", "/kaniko/executor",
+    "/dev/fd/3", "/opt/SolarWinds/Agent/bin/Plugins/Discovery/SolarWinds.Agent.Discovery.Plugin", "/usr/bin/crio",
     "/opt/splunk/bin/splunkd", "/opt/Tanium/TaniumClient/TaniumCX"
   ) or
   process.executable like (
-    "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*",
     "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd"
   ) or
   (
-    process.name like ("python*", "platform-python*", "conda", "virtualenv", "cp", "pip*", "uv") and
+    process.name like ("platform-python*", "cp", "uv") and
     file.name in ("distutils-precedence.pth", "_virtualenv.pth")
   )
 )

rules/linux/persistence_site_and_user_customize_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/12/22"
+updated_date = "2026/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -104,16 +104,11 @@ file.path like (
   "/home/*/.config/python/usercustomize.py"
 ) and not (
   process.executable in (
-    "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3",
-    "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry",
-    "/usr/bin/poetry", "/usr/bin/pamac-daemon", "./venv/bin/pip", "./usr/bin/podman",
-    "/opt/miniforge3/bin/mamba", "/usr/sbin/dockerd", "/opt/conda/_conda", "/kaniko/executor",
-    "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/lib/systemd/systemd-executor"
+    "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/bin/podman", "/usr/bin/pamac-daemon",
+    "./usr/bin/podman", "/opt/miniforge3/bin/mamba", "/usr/sbin/dockerd", "/opt/conda/_conda", "/kaniko/executor",
+    "/usr/bin/crio", "/usr/lib/systemd/systemd-executor"
   ) or
-  process.executable like~ (
-    "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*",
-    "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd"
-  )
+  process.executable like~ ("/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd")
 )
 '''