Detect Python Startup Hooks in CrowdStrike LogScale
Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.018 Python Startup Hooks
- Canonical reference
- https://attack.mitre.org/techniques/T1546/018/
LogScale Detection Query
// Python Startup Hook Persistence Detection — T1546.018
// File-based hook modification
(
#event_simpleName in ("PeFileWritten", "SyntheticProcessRollup2", "ScriptControlScanTelemetry", "NewScriptWritten")
| TargetFileName = /(?i)(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$/
OR (
TargetFileName = /\.pth$/i
AND TargetDirectoryName = /(?i)(site-packages|dist-packages|lib[\/\\]python)/
)
| NOT (ImageFileName = /(?i)(pip|pip3|conda|poetry|venv|virtualenv|easy_install|setup\.py)/)
| eval DetectionType = case(
TargetFileName = /(?i)sitecustomize\.py$/, "SITECUSTOMIZE_MODIFIED",
TargetFileName = /(?i)usercustomize\.py$/, "USERCUSTOMIZE_MODIFIED",
TargetFileName = /\.pth$/i, "PTH_FILE_CREATED",
true(), "PYTHON_STARTUP_FILE_MODIFIED"
)
)
OR
(
// Registry-based PYTHONSTARTUP/PYTHONPATH persistence
#event_simpleName in ("RegGenericValueUpdate", "RegStringValueUpdate")
| RegObjectName = /(?i)(PYTHONSTARTUP|PYTHONPATH)/
| RegObjectName = /(?i)(Environment|CurrentControlSet)/
| eval DetectionType = case(
RegObjectName = /PYTHONSTARTUP/i, "PYTHONSTARTUP_ENV_SET",
RegObjectName = /PYTHONPATH/i, "PYTHONPATH_ENV_SET",
true(), "PYTHON_ENV_REG_MODIFIED"
)
)
| groupBy([ComputerName, UserName, DetectionType], function=[
collect([TargetFileName, TargetDirectoryName, RegObjectName, ImageFileName, CommandLine]),
count(as=EventCount)
])
| sort(EventCount, order=desc)CrowdStrike Falcon LogScale (CQL) detection for Python startup hook persistence (T1546.018). Identifies file writes to sitecustomize.py, usercustomize.py, or .pth files in Python site-packages directories, as well as registry modifications to PYTHONSTARTUP or PYTHONPATH environment variables. Excludes known Python package manager parent processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate pip, pip3, conda, or poetry package installations that write or update sitecustomize.py, usercustomize.py, or .pth files as part of normal dependency management
- Python virtual environment creation tools (virtualenv, venv, pyenv) that configure PYTHONPATH registry values or generate .pth files as part of isolated environment bootstrapping
- Enterprise Python distribution managers (Anaconda Enterprise, ActivePython) that use custom sitecustomize.py to enforce corporate proxy, certificate, or package repository settings
Other platforms for T1546.018
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Code to sitecustomize.py
Expected signal: File modification event for sitecustomize.py in site-packages directory. Process creation for python3 being used to locate the site-packages path (reconnaissance). The payload executes on the next Python interpreter launch — file creation event for /tmp/python_startup_test.txt confirms execution.
- Test 2Set PYTHONSTARTUP Environment Variable to Malicious Script
Expected signal: File creation event for argus_pystartup.py in Temp. Sysmon Event ID 13: HKCU\Environment\PYTHONSTARTUP set to %TEMP%\argus_pystartup.py. On next interactive Python launch, the startup file executes and creates pystartup_executed.txt.
- Test 3Create Malicious .pth File in site-packages
Expected signal: File creation event for argus-test.pth in site-packages directory. The .pth file contains an import statement. On next Python startup, os.system executes the shell command — process creation for Python followed by child process for /bin/sh executing the os.system call.
References (5)
- https://attack.mitre.org/techniques/T1546/018/
- https://docs.python.org/3/library/site.html
- https://docs.python.org/3/using/cmdline.html#envvar-PYTHONSTARTUP
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.018/T1546.018.md
- https://embracethered.com/blog/posts/2022/python-import-tricks-py-malware-persistence/
Unlock Pro Content
Get the full detection package for T1546.018 including response playbook, investigation guide, and atomic red team tests.