[Rule Tuning] Python Startup Hook Rules (#5400)

Author: Aegrah

rules/linux/persistence_pth_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/12/03"
 
 [rule]
 author = ["Elastic"]
@@ -128,6 +128,11 @@ id = "T1546"
 name = "Event Triggered Execution"
 reference = "https://attack.mitre.org/techniques/T1546/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1546.018"
+name = "Python Startup Hooks"
+reference = "https://attack.mitre.org/techniques/T1546/018/"
+
 [[rule.threat.technique]]
 id = "T1574"
 name = "Hijack Execution Flow"

rules/linux/persistence_site_and_user_customize_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/12/03"
 
 [rule]
 author = ["Elastic"]
@@ -123,6 +123,11 @@ id = "T1546"
 name = "Event Triggered Execution"
 reference = "https://attack.mitre.org/techniques/T1546/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1546.018"
+name = "Python Startup Hooks"
+reference = "https://attack.mitre.org/techniques/T1546/018/"
+
 [[rule.threat.technique]]
 id = "T1574"
 name = "Hijack Execution Flow"