Detect Python Startup Hooks in Google Chronicle
Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.018 Python Startup Hooks
- Canonical reference
- https://attack.mitre.org/techniques/T1546/018/
YARA-L Detection Query
rule python_startup_hook_persistence {
meta:
author = "Argus Detection Engineering"
description = "Detects Python startup hook persistence via modification of sitecustomize.py, usercustomize.py, .pth files in site-packages, or PYTHONSTARTUP/PYTHONPATH registry manipulation (MITRE ATT&CK T1546.018)"
mitre_attack_technique = "T1546.018"
mitre_attack_tactic = "Persistence"
severity = "HIGH"
confidence = "MEDIUM"
events:
(
// File-based Python startup hook modification
(
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
) and
(
(
re.regex($e.target.file.full_path, `(?i)(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$`)
) or
(
re.regex($e.target.file.full_path, `\.pth$`) and
re.regex($e.target.file.full_path, `(?i)(site-packages|dist-packages|lib/python|lib\\python)`)
)
) and
not re.regex($e.principal.process.file.full_path, `(?i)(pip|pip3|conda|poetry|venv|virtualenv|setup\.py|easy_install)`)
) or
(
// Registry-based PYTHONSTARTUP or PYTHONPATH persistence
(
$e.metadata.event_type = "REGISTRY_CREATION" or
$e.metadata.event_type = "REGISTRY_MODIFICATION"
) and
re.regex($e.target.registry.registry_key, `(?i)(PYTHONSTARTUP|PYTHONPATH)`) and
re.regex($e.target.registry.registry_key, `(?i)(Environment|CurrentControlSet)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting Python startup hook persistence mechanisms including modification of sitecustomize.py, usercustomize.py, .pth files in Python package directories, and registry-based manipulation of PYTHONSTARTUP/PYTHONPATH environment variables. Excludes legitimate Python package manager processes.
Data Sources
Required Tables
False Positives & Tuning
- Automated Python dependency installation workflows (pip, conda, poetry) that write .pth files or sitecustomize.py modifications to site-packages as part of package management
- Development environment setup scripts that configure PYTHONPATH via registry to point to project-specific module directories
- Software packaging processes that inject sitecustomize.py to support enterprise-wide Python configurations across managed endpoints
Other platforms for T1546.018
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Code to sitecustomize.py
Expected signal: File modification event for sitecustomize.py in site-packages directory. Process creation for python3 being used to locate the site-packages path (reconnaissance). The payload executes on the next Python interpreter launch — file creation event for /tmp/python_startup_test.txt confirms execution.
- Test 2Set PYTHONSTARTUP Environment Variable to Malicious Script
Expected signal: File creation event for argus_pystartup.py in Temp. Sysmon Event ID 13: HKCU\Environment\PYTHONSTARTUP set to %TEMP%\argus_pystartup.py. On next interactive Python launch, the startup file executes and creates pystartup_executed.txt.
- Test 3Create Malicious .pth File in site-packages
Expected signal: File creation event for argus-test.pth in site-packages directory. The .pth file contains an import statement. On next Python startup, os.system executes the shell command — process creation for Python followed by child process for /bin/sh executing the os.system call.
References (5)
- https://attack.mitre.org/techniques/T1546/018/
- https://docs.python.org/3/library/site.html
- https://docs.python.org/3/using/cmdline.html#envvar-PYTHONSTARTUP
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.018/T1546.018.md
- https://embracethered.com/blog/posts/2022/python-import-tricks-py-malware-persistence/
Unlock Pro Content
Get the full detection package for T1546.018 including response playbook, investigation guide, and atomic red team tests.