T1546.018 Elastic Security · Elastic

Detect Python Startup Hooks in Elastic Security

Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1546 Event Triggered Execution
Sub-technique
T1546.018 Python Startup Hooks
Canonical reference
https://attack.mitre.org/techniques/T1546/018/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where
  (
    (
      event.category == "file" and event.type in ("creation", "change") and
      (
        file.name in~ ("sitecustomize.py", "usercustomize.py", "site.py", "sitecustomize.pyc") or
        (file.name like~ "*.pth" and file.path like~ ("*site-packages*", "*dist-packages*", "*lib/python*", "*lib\\python*"))
      ) and
      not process.name in~ ("pip", "pip3", "conda", "poetry", "easy_install", "setup.py")
    ) or
    (
      event.category == "registry" and event.type in ("creation", "change") and
      registry.value.name in~ ("PYTHONSTARTUP", "PYTHONPATH") and
      registry.path like~ ("*\\Environment*", "*CurrentControlSet*")
    )
  )
]
high severity medium confidence

Detects Python startup hook persistence via modification of sitecustomize.py, usercustomize.py, .pth files in Python site-packages directories, or registry-based PYTHONSTARTUP/PYTHONPATH environment variable manipulation. Excludes known legitimate Python package managers.

Data Sources

Elastic Endpoint (file events)Elastic Endpoint (registry events)Auditbeat file integrity module

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.registry-*auditbeat-*

False Positives & Tuning

  • Legitimate Python package installations via pip, conda, or poetry that create or update sitecustomize.py or .pth files in site-packages
  • System administrators configuring PYTHONPATH or PYTHONSTARTUP as part of legitimate environment management or virtual environment setup
  • Developer tooling such as pyenv, virtualenv, or conda environments that modify Python path configuration files during environment creation
Download portable Sigma rule (.yml)

Other platforms for T1546.018

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Malicious Code to sitecustomize.py

    Expected signal: File modification event for sitecustomize.py in site-packages directory. Process creation for python3 being used to locate the site-packages path (reconnaissance). The payload executes on the next Python interpreter launch — file creation event for /tmp/python_startup_test.txt confirms execution.

  2. Test 2Set PYTHONSTARTUP Environment Variable to Malicious Script

    Expected signal: File creation event for argus_pystartup.py in Temp. Sysmon Event ID 13: HKCU\Environment\PYTHONSTARTUP set to %TEMP%\argus_pystartup.py. On next interactive Python launch, the startup file executes and creates pystartup_executed.txt.

  3. Test 3Create Malicious .pth File in site-packages

    Expected signal: File creation event for argus-test.pth in site-packages directory. The .pth file contains an import statement. On next Python startup, os.system executes the shell command — process creation for Python followed by child process for /bin/sh executing the os.system call.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1546.018 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File AssociationT1546.002ScreensaverT1546.003Windows Management Instrumentation Event SubscriptionT1546.004Unix Shell Configuration ModificationT1546.005TrapT1546.006LC_LOAD_DYLIB AdditionT1546.007Netsh Helper DLLT1546.008Accessibility FeaturesT1546.009AppCert DLLsT1546.010AppInit DLLsT1546.011Application ShimmingT1546.012Image File Execution Options InjectionT1546.013PowerShell ProfileT1546.014EmondT1546.015Component Object Model HijackingT1546.016Installer PackagesT1546.017Udev Rules

Related Techniques

T1546Event Triggered ExecutionT1546.004Unix Shell Configuration ModificationT1546.013PowerShell ProfileT1059.006PythonT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or Location

Same Tactic: Persistence

Popular Detections