This detection rule identifies the creation of .pth files within specific Python package directories on Linux systems. These files can be leveraged by attackers for persistent execution of malicious code, as they are automatically executed when Python starts. The rule analyzes file creation and renaming actions, focusing on paths typically associated with Python package installations, such as '/usr/local/lib/python*/dist-packages/*' and user-specific directories like '/home/*/.local/lib/python*/site-packages/*'. It filters out benign processes that are commonly associated with legitimate package management operations (like pip and its various versions), thereby reducing false positives. The purpose of this rule is to flag unauthorized or suspicious modifications that suggest potential persistence mechanisms employed by malicious actors, and it serves as a crucial component in monitoring for signs of compromise or malicious package injections.