Skip to content

[New Rule] Python Site or User Customize File Creation #4500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 3, 2025
Merged

[New Rule] Python Site or User Customize File Creation #4500

merged 5 commits into from
Mar 3, 2025

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Feb 26, 2025

Summary

This rule detects the creation and modification of sitecustomize.py and usercustomize.py, which Python automatically executes on startup. Attackers can exploit these files for persistence by injecting malicious code. The rule monitors system-wide, user-specific, and virtual environment locations to catch unauthorized changes that could indicate persistence or backdooring attempts.

Telemetry

0 hits in telemetry last 90d.
{3DCD1BC4-90A9-4973-9775-808FB9855899}

@Aegrah Aegrah self-assigned this Feb 26, 2025
@tradebot-elastic
Copy link

tradebot-elastic commented Feb 26, 2025
edited
Loading

⛔️ Tests failed:

  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

terrancedejesus
terrancedejesus approved these changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good consideration by Jon.
Other than that, LGTM

@tradebot-elastic
Copy link

tradebot-elastic commented Feb 27, 2025
edited
Loading

⛔️ Tests failed:

DefSecSentinel
DefSecSentinel approved these changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@DefSecSentinel DefSecSentinel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tradebot-elastic
Copy link

tradebot-elastic commented Feb 27, 2025
edited
Loading

⛔️ Tests failed:

@tradebot-elastic
Copy link

tradebot-elastic commented Feb 28, 2025
edited
Loading

⛔️ Tests failed:

  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
    • events_validation_missing: Not tested with events

@Aegrah Aegrah mentioned this pull request Mar 3, 2025
Open
@Aegrah
Copy link
Contributor Author

Aegrah commented Mar 3, 2025

Due to the effort required to find/test all usercustomize.py/sitecustomize.py creation paths for Windows/macOS, I will not be adding support to these platforms. I created an issue to track this, in case a maintainer from these platforms wants to tackle this. For now, I will just merge the PR for Linux only. cc @w0rk3r @DefSecSentinel. Issue: #4505

@tradebot-elastic
Copy link

tradebot-elastic commented Mar 3, 2025
edited
Loading

⛔️ Tests failed:

  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
    • events_validation_missing: Not tested with events

@Aegrah Aegrah merged commit b9e8115 into main Mar 3, 2025
10 checks passed
@Aegrah Aegrah deleted the customize-file-creation branch March 3, 2025 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@w0rk3r w0rk3r w0rk3r left review comments

@DefSecSentinel DefSecSentinel DefSecSentinel approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

Assignees

@Aegrah Aegrah

Labels
backport: auto Domain: Endpoint OS: Linux Team: TRADE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Aegrah @tradebot-elastic @w0rk3r @DefSecSentinel @terrancedejesus