T1546.018 Python Startup Hooks Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PythonStartupFiles = dynamic([
    "sitecustomize.py",
    "usercustomize.py",
    "site.py",
    "sitecustomize.pyc"
  ]);
let PythonDirs = dynamic([
    "site-packages",
    "dist-packages",
    "lib\\python",
    "lib/python"
  ]);
let StartupFileWrites = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ (PythonStartupFiles)
   or (FileName endswith ".pth" and FolderPath has_any (PythonDirs))
| where ActionType in ("FileCreated", "FileModified")
| extend IsSitePackages = FolderPath has_any (PythonDirs)
| extend IsSitecustomize = FileName in~ ("sitecustomize.py", "usercustomize.py")
| extend IsPthFile = FileName endswith ".pth"
| project FileTime=Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
         IsSitePackages, IsSitecustomize, IsPthFile,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
let EnvVarPersistence = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryValueName in~ ("PYTHONSTARTUP", "PYTHONPATH")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("Environment", "System\\CurrentControlSet")
| project RegTime=Timestamp, DeviceName, AccountName, RegistryKey,
         RegistryValueName, RegistryValueData, InitiatingProcessFileName;
union (StartupFileWrites | extend EventType="FILE"),
      (EnvVarPersistence | extend EventType="ENV_VAR")
| sort by FileTime desc, RegTime desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents

False Positives

Python package installation (pip, conda, poetry) that creates or modifies sitecustomize.py or .pth files as part of package setup
Python virtual environment creation (venv, virtualenv) that initializes site-packages with standard configuration files including .pth files
Development tools (IPython, Jupyter, pytest) that install startup hooks for their configuration
System Python configuration management by system administrators that modifies PYTHONPATH for shared Python installations

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
  OR index=syslog sourcetype=linux_secure
| eval IsPythonStartupFile=if(
    (EventCode=11 OR match(_raw, "type=PATH"))
    AND (
      match(coalesce(TargetFilename, source, ""), "(?i)(sitecustomize\.py|usercustomize\.py)")
      OR (match(coalesce(TargetFilename, source, ""), "(?i)(site-packages|dist-packages)") AND match(coalesce(TargetFilename, source, ""), "\.pth$"))
    ),
    1, 0
  )
| eval IsPythonEnvReg=if(
    (EventCode=12 OR EventCode=13)
    AND match(TargetObject, "(PYTHONSTARTUP|PYTHONPATH)"),
    1, 0
  )
| eval IsSuspiciousInstaller=if(
    IsPythonStartupFile=1
    AND NOT match(lower(coalesce(Image, _raw, "")), "(pip|pip3|conda|poetry|venv|virtualenv|setup\.py|easy_install)"),
    1, 0
  )
| where IsPythonStartupFile=1 OR IsPythonEnvReg=1
| eval DetectionType=case(
    IsPythonEnvReg=1 AND match(TargetObject, "PYTHONSTARTUP"), "PYTHONSTARTUP_ENV_SET",
    IsPythonEnvReg=1 AND match(TargetObject, "PYTHONPATH"), "PYTHONPATH_ENV_SET",
    IsSuspiciousInstaller=1 AND match(coalesce(TargetFilename, source, ""), "sitecustomize"), "SITECUSTOMIZE_MODIFIED",
    IsPythonStartupFile=1 AND match(coalesce(TargetFilename, source, ""), "\.pth$"), "PTH_FILE_CREATED",
    IsPythonStartupFile=1, "PYTHON_STARTUP_FILE_MODIFIED",
    1=1, "PYTHON_HOOK_ACTIVITY"
  )
| table _time, host, User, EventCode, DetectionType, coalesce(TargetFilename, source) as FilePath, TargetObject, Image
| sort - _time

high severity medium confidence

Data Sources

File: File Creation File: File Modification Windows Registry: Registry Key Modification Sysmon Event IDs 11, 12, 13 Linux auditd

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure

False Positives

Python package installation (pip, conda) modifying site-packages
Virtual environment creation initializing site-packages
Development tools (IPython, Jupyter, pytest) installing startup hooks
System administrators configuring PYTHONPATH for shared installations

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where
  (
    (
      event.category == "file" and event.type in ("creation", "change") and
      (
        file.name in~ ("sitecustomize.py", "usercustomize.py", "site.py", "sitecustomize.pyc") or
        (file.name like~ "*.pth" and file.path like~ ("*site-packages*", "*dist-packages*", "*lib/python*", "*lib\\python*"))
      ) and
      not process.name in~ ("pip", "pip3", "conda", "poetry", "easy_install", "setup.py")
    ) or
    (
      event.category == "registry" and event.type in ("creation", "change") and
      registry.value.name in~ ("PYTHONSTARTUP", "PYTHONPATH") and
      registry.path like~ ("*\\Environment*", "*CurrentControlSet*")
    )
  )
]

high severity medium confidence

Data Sources

Elastic Endpoint (file events) Elastic Endpoint (registry events) Auditbeat file integrity module

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* auditbeat-*

False Positives

Legitimate Python package installations via pip, conda, or poetry that create or update sitecustomize.py or .pth files in site-packages
System administrators configuring PYTHONPATH or PYTHONSTARTUP as part of legitimate environment management or virtual environment setup
Developer tooling such as pyenv, virtualenv, or conda environments that modify Python path configuration files during environment creation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "filepath",
  "process",
  CATEGORYNAME(category) AS category_name,
  CASE
    WHEN "filepath" IMATCHES '.*PYTHONSTARTUP.*' OR "filepath" IMATCHES '.*PYTHONPATH.*' THEN 'PYTHON_ENV_REG'
    WHEN "filepath" IMATCHES '.*(sitecustomize|usercustomize)\.py.*' THEN 'STARTUP_FILE_MODIFIED'
    WHEN "filepath" IMATCHES '.*\.pth$' AND ("filepath" IMATCHES '.*(site-packages|dist-packages|lib/python|lib\\python).*') THEN 'PTH_FILE_CREATED'
    ELSE 'PYTHON_HOOK_ACTIVITY'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 73, 143)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      ("filepath" IMATCHES '.*(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$')
      OR ("filepath" IMATCHES '.*\.pth$' AND "filepath" IMATCHES '.*(site-packages|dist-packages|lib/python|lib\\python).*')
    )
    AND NOT ("process" IMATCHES '.*(pip|pip3|conda|poetry|venv|virtualenv|easy_install|setup\.py).*')
    OR (
      "filepath" IMATCHES '.*(PYTHONSTARTUP|PYTHONPATH).*'
      AND category IN (5001, 5002, 18)
    )
  )
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Security Event Log (Sysmon via QRadar DSM) Linux auditd via QRadar QRadar Endpoint Activity Monitor

Required Tables

events

False Positives

Legitimate Python package manager activity (pip, conda, poetry) writing to site-packages as part of normal package installation workflows
Automated CI/CD pipelines that configure PYTHONPATH or create virtual environments with custom sitecustomize.py configurations
System-level Python configuration by administrators using tools like Ansible or Chef that modify Python environment variables in registry or shell profiles

Sumo Logic CSE

sql

(_sourceCategory="endpoint/windows/sysmon" OR _sourceCategory="endpoint/linux/auditd" OR _sourceCategory="endpoint/linux/syslog")
| where (%"EventID" in ("11", "12", "13") OR eventtype in ("PATH", "SYSCALL") OR _raw matches /(?i)(sitecustomize|usercustomize|\.pth|PYTHONSTARTUP|PYTHONPATH)/)
| if ((%"EventID" == "11" OR eventtype == "PATH") AND (%"TargetFilename" matches /(?i)(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$/ OR (%"TargetFilename" matches /(?i)(site-packages|dist-packages|lib\/python|lib\\python)/ AND %"TargetFilename" matches /\.pth$/)), 1, 0) as IsPythonStartupFile
| if ((%"EventID" in ("12", "13") AND (%"TargetObject" matches /PYTHONSTARTUP/ OR %"TargetObject" matches /PYTHONPATH/)), 1, 0) as IsPythonEnvReg
| if (IsPythonStartupFile == 1 AND !(toLowerCase(%"Image") matches /(pip|pip3|conda|poetry|venv|virtualenv|setup\.py|easy_install)/), 1, 0) as IsSuspiciousInstaller
| where IsPythonStartupFile == 1 OR IsPythonEnvReg == 1
| if (IsPythonEnvReg == 1 AND %"TargetObject" matches /PYTHONSTARTUP/, "PYTHONSTARTUP_ENV_SET",
    if (IsPythonEnvReg == 1 AND %"TargetObject" matches /PYTHONPATH/, "PYTHONPATH_ENV_SET",
    if (IsSuspiciousInstaller == 1 AND %"TargetFilename" matches /(?i)sitecustomize/, "SITECUSTOMIZE_MODIFIED",
    if (IsPythonStartupFile == 1 AND %"TargetFilename" matches /\.pth$/, "PTH_FILE_CREATED",
    "PYTHON_STARTUP_FILE_MODIFIED")))) as DetectionType
| fields _messageTime, %"Computer", %"User", %"EventID", DetectionType, %"TargetFilename", %"TargetObject", %"Image"
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon (Event IDs 11, 12, 13) Linux auditd PATH and SYSCALL records Sumo Logic Cloud SIEM normalized endpoint telemetry

Required Tables

_sourceCategory=endpoint/windows/sysmon _sourceCategory=endpoint/linux/auditd

False Positives

Python package installations via pip or conda that legitimately write sitecustomize.py or .pth manifest files to site-packages during package setup
Developer environment configuration tools (pyenv, direnv, virtualenv) that set PYTHONPATH or PYTHONSTARTUP in registry or shell initialization files
Enterprise software deployment systems that use Python and configure PYTHONPATH via Group Policy or registry to include additional module directories

Google Chronicle / SecOps

yaral

rule python_startup_hook_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Python startup hook persistence via modification of sitecustomize.py, usercustomize.py, .pth files in site-packages, or PYTHONSTARTUP/PYTHONPATH registry manipulation (MITRE ATT&CK T1546.018)"
    mitre_attack_technique = "T1546.018"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    (
      // File-based Python startup hook modification
      (
        $e.metadata.event_type = "FILE_CREATION" or
        $e.metadata.event_type = "FILE_MODIFICATION"
      ) and
      (
        (
          re.regex($e.target.file.full_path, `(?i)(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$`)
        ) or
        (
          re.regex($e.target.file.full_path, `\.pth$`) and
          re.regex($e.target.file.full_path, `(?i)(site-packages|dist-packages|lib/python|lib\\python)`)
        )
      ) and
      not re.regex($e.principal.process.file.full_path, `(?i)(pip|pip3|conda|poetry|venv|virtualenv|setup\.py|easy_install)`)
    ) or
    (
      // Registry-based PYTHONSTARTUP or PYTHONPATH persistence
      (
        $e.metadata.event_type = "REGISTRY_CREATION" or
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
      ) and
      re.regex($e.target.registry.registry_key, `(?i)(PYTHONSTARTUP|PYTHONPATH)`) and
      re.regex($e.target.registry.registry_key, `(?i)(Environment|CurrentControlSet)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM file events from Endpoint Detection agents Chronicle UDM registry events from Windows telemetry Google Chronicle via Bindplane or Forwarder ingesting Sysmon/EDR telemetry

Required Tables

UDM events (file, registry event types)

False Positives

Automated Python dependency installation workflows (pip, conda, poetry) that write .pth files or sitecustomize.py modifications to site-packages as part of package management
Development environment setup scripts that configure PYTHONPATH via registry to point to project-specific module directories
Software packaging processes that inject sitecustomize.py to support enterprise-wide Python configurations across managed endpoints

CrowdStrike LogScale (CQL)

cql

// Python Startup Hook Persistence Detection — T1546.018
// File-based hook modification
(
  #event_simpleName in ("PeFileWritten", "SyntheticProcessRollup2", "ScriptControlScanTelemetry", "NewScriptWritten")
  | TargetFileName = /(?i)(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$/
  OR (
    TargetFileName = /\.pth$/i
    AND TargetDirectoryName = /(?i)(site-packages|dist-packages|lib[\/\\]python)/
  )
  | NOT (ImageFileName = /(?i)(pip|pip3|conda|poetry|venv|virtualenv|easy_install|setup\.py)/)
  | eval DetectionType = case(
      TargetFileName = /(?i)sitecustomize\.py$/, "SITECUSTOMIZE_MODIFIED",
      TargetFileName = /(?i)usercustomize\.py$/, "USERCUSTOMIZE_MODIFIED",
      TargetFileName = /\.pth$/i, "PTH_FILE_CREATED",
      true(), "PYTHON_STARTUP_FILE_MODIFIED"
    )
)
OR
(
  // Registry-based PYTHONSTARTUP/PYTHONPATH persistence
  #event_simpleName in ("RegGenericValueUpdate", "RegStringValueUpdate")
  | RegObjectName = /(?i)(PYTHONSTARTUP|PYTHONPATH)/
  | RegObjectName = /(?i)(Environment|CurrentControlSet)/
  | eval DetectionType = case(
      RegObjectName = /PYTHONSTARTUP/i, "PYTHONSTARTUP_ENV_SET",
      RegObjectName = /PYTHONPATH/i, "PYTHONPATH_ENV_SET",
      true(), "PYTHON_ENV_REG_MODIFIED"
    )
)
| groupBy([ComputerName, UserName, DetectionType], function=[
    collect([TargetFileName, TargetDirectoryName, RegObjectName, ImageFileName, CommandLine]),
    count(as=EventCount)
  ])
| sort(EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR (endpoint file write telemetry) CrowdStrike Falcon EDR (registry modification events) Falcon Data Replicator or Humio/LogScale ingestion pipeline

Required Tables

PeFileWritten NewScriptWritten RegGenericValueUpdate RegStringValueUpdate

False Positives

Legitimate pip, pip3, conda, or poetry package installations that write or update sitecustomize.py, usercustomize.py, or .pth files as part of normal dependency management
Python virtual environment creation tools (virtualenv, venv, pyenv) that configure PYTHONPATH registry values or generate .pth files as part of isolated environment bootstrapping
Enterprise Python distribution managers (Anaconda Enterprise, ActivePython) that use custom sitecustomize.py to enforce corporate proxy, certificate, or package repository settings

Python Startup Hooks

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections