T1546.018 IBM QRadar · QRadar

Detect Python Startup Hooks in IBM QRadar

Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1546 Event Triggered Execution
Sub-technique
T1546.018 Python Startup Hooks
Canonical reference
https://attack.mitre.org/techniques/T1546/018/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "filepath",
  "process",
  CATEGORYNAME(category) AS category_name,
  CASE
    WHEN "filepath" IMATCHES '.*PYTHONSTARTUP.*' OR "filepath" IMATCHES '.*PYTHONPATH.*' THEN 'PYTHON_ENV_REG'
    WHEN "filepath" IMATCHES '.*(sitecustomize|usercustomize)\.py.*' THEN 'STARTUP_FILE_MODIFIED'
    WHEN "filepath" IMATCHES '.*\.pth$' AND ("filepath" IMATCHES '.*(site-packages|dist-packages|lib/python|lib\\python).*') THEN 'PTH_FILE_CREATED'
    ELSE 'PYTHON_HOOK_ACTIVITY'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 73, 143)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      ("filepath" IMATCHES '.*(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$')
      OR ("filepath" IMATCHES '.*\.pth$' AND "filepath" IMATCHES '.*(site-packages|dist-packages|lib/python|lib\\python).*')
    )
    AND NOT ("process" IMATCHES '.*(pip|pip3|conda|poetry|venv|virtualenv|easy_install|setup\.py).*')
    OR (
      "filepath" IMATCHES '.*(PYTHONSTARTUP|PYTHONPATH).*'
      AND category IN (5001, 5002, 18)
    )
  )
ORDER BY devicetime DESC
LIMIT 500
high severity medium confidence

Detects modification of Python startup files (sitecustomize.py, usercustomize.py, .pth files in site-packages) or registry/environment variable manipulation of PYTHONSTARTUP/PYTHONPATH on Windows and Linux endpoints. Filters out known Python package manager processes.

Data Sources

Windows Security Event Log (Sysmon via QRadar DSM)Linux auditd via QRadarQRadar Endpoint Activity Monitor

Required Tables

events

False Positives & Tuning

  • Legitimate Python package manager activity (pip, conda, poetry) writing to site-packages as part of normal package installation workflows
  • Automated CI/CD pipelines that configure PYTHONPATH or create virtual environments with custom sitecustomize.py configurations
  • System-level Python configuration by administrators using tools like Ansible or Chef that modify Python environment variables in registry or shell profiles
Download portable Sigma rule (.yml)

Other platforms for T1546.018

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Malicious Code to sitecustomize.py

    Expected signal: File modification event for sitecustomize.py in site-packages directory. Process creation for python3 being used to locate the site-packages path (reconnaissance). The payload executes on the next Python interpreter launch — file creation event for /tmp/python_startup_test.txt confirms execution.

  2. Test 2Set PYTHONSTARTUP Environment Variable to Malicious Script

    Expected signal: File creation event for argus_pystartup.py in Temp. Sysmon Event ID 13: HKCU\Environment\PYTHONSTARTUP set to %TEMP%\argus_pystartup.py. On next interactive Python launch, the startup file executes and creates pystartup_executed.txt.

  3. Test 3Create Malicious .pth File in site-packages

    Expected signal: File creation event for argus-test.pth in site-packages directory. The .pth file contains an import statement. On next Python startup, os.system executes the shell command — process creation for Python followed by child process for /bin/sh executing the os.system call.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1546.018 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File AssociationT1546.002ScreensaverT1546.003Windows Management Instrumentation Event SubscriptionT1546.004Unix Shell Configuration ModificationT1546.005TrapT1546.006LC_LOAD_DYLIB AdditionT1546.007Netsh Helper DLLT1546.008Accessibility FeaturesT1546.009AppCert DLLsT1546.010AppInit DLLsT1546.011Application ShimmingT1546.012Image File Execution Options InjectionT1546.013PowerShell ProfileT1546.014EmondT1546.015Component Object Model HijackingT1546.016Installer PackagesT1546.017Udev Rules

Related Techniques

T1546Event Triggered ExecutionT1546.004Unix Shell Configuration ModificationT1546.013PowerShell ProfileT1059.006PythonT1105Ingress Tool TransferT1036.005Match Legitimate Resource Name or Location

Same Tactic: Persistence

Popular Detections