Defender observes unauthorized modification or creation of Python hook files such as .pth, sitecustomize.py, or usercustomize.py in Python site-packages, dist-packages, or user paths. This is often correlated with subsequent unexpected interpreter execution (e.g., python3 running without user interaction), changes in interpreter behavior (e.g., malicious imports), and outbound connections initiated from Python. Defender links write/modify actions on hook files with execve of python process and/or anomalous child process or network activity.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: execve where exe=/usr/bin/python3 or similar interpreter |
| File Modification (DC0061) | auditd:PATH | write or create events on *.pth, sitecustomize.py, usercustomize.py in site-packages or dist-packages |
| File Metadata (DC0059) | auditd:CONFIG_CHANGE | chmod or chown of hook files indicating privilege escalation or execution permission change |
| Network Traffic Content (DC0085) | NSM:Flow | http::request: Outbound HTTP initiated by Python interpreter |
| Field | Description |
|---|---|
| HookFilePathPatterns | Absolute or regex paths to Python startup files (.pth, customize.py); vary by distro or virtual environment location |
| UserContext | Restrict alerts to non-root users, service accounts, or interactive shell sessions |
| TimeWindow | Correlate file modification and Python execution within short time span (default: 2–5 minutes) |
| InterpreterWhitelist | Filter out known legitimate Python executions tied to expected cron jobs or automation |