Detect Python Startup Hooks in Microsoft Sentinel
Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.018 Python Startup Hooks
- Canonical reference
- https://attack.mitre.org/techniques/T1546/018/
KQL Detection Query
let PythonStartupFiles = dynamic([
"sitecustomize.py",
"usercustomize.py",
"site.py",
"sitecustomize.pyc"
]);
let PythonDirs = dynamic([
"site-packages",
"dist-packages",
"lib\\python",
"lib/python"
]);
let StartupFileWrites = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ (PythonStartupFiles)
or (FileName endswith ".pth" and FolderPath has_any (PythonDirs))
| where ActionType in ("FileCreated", "FileModified")
| extend IsSitePackages = FolderPath has_any (PythonDirs)
| extend IsSitecustomize = FileName in~ ("sitecustomize.py", "usercustomize.py")
| extend IsPthFile = FileName endswith ".pth"
| project FileTime=Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
IsSitePackages, IsSitecustomize, IsPthFile,
InitiatingProcessFileName, InitiatingProcessCommandLine;
let EnvVarPersistence = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryValueName in~ ("PYTHONSTARTUP", "PYTHONPATH")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("Environment", "System\\CurrentControlSet")
| project RegTime=Timestamp, DeviceName, AccountName, RegistryKey,
RegistryValueName, RegistryValueData, InitiatingProcessFileName;
union (StartupFileWrites | extend EventType="FILE"),
(EnvVarPersistence | extend EventType="ENV_VAR")
| sort by FileTime desc, RegTime descDetects Python startup hook abuse via two vectors: (1) creation or modification of sitecustomize.py, usercustomize.py, or .pth files in Python site-packages/dist-packages directories — these execute on every Python interpreter startup, (2) modification of PYTHONSTARTUP or PYTHONPATH environment variables in the Windows registry — these redirect Python startup execution. Cross-platform (Windows, Linux, macOS) via MDE.
Data Sources
Required Tables
False Positives & Tuning
- Python package installation (pip, conda, poetry) that creates or modifies sitecustomize.py or .pth files as part of package setup
- Python virtual environment creation (venv, virtualenv) that initializes site-packages with standard configuration files including .pth files
- Development tools (IPython, Jupyter, pytest) that install startup hooks for their configuration
- System Python configuration management by system administrators that modifies PYTHONPATH for shared Python installations
Other platforms for T1546.018
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Code to sitecustomize.py
Expected signal: File modification event for sitecustomize.py in site-packages directory. Process creation for python3 being used to locate the site-packages path (reconnaissance). The payload executes on the next Python interpreter launch — file creation event for /tmp/python_startup_test.txt confirms execution.
- Test 2Set PYTHONSTARTUP Environment Variable to Malicious Script
Expected signal: File creation event for argus_pystartup.py in Temp. Sysmon Event ID 13: HKCU\Environment\PYTHONSTARTUP set to %TEMP%\argus_pystartup.py. On next interactive Python launch, the startup file executes and creates pystartup_executed.txt.
- Test 3Create Malicious .pth File in site-packages
Expected signal: File creation event for argus-test.pth in site-packages directory. The .pth file contains an import statement. On next Python startup, os.system executes the shell command — process creation for Python followed by child process for /bin/sh executing the os.system call.
References (5)
- https://attack.mitre.org/techniques/T1546/018/
- https://docs.python.org/3/library/site.html
- https://docs.python.org/3/using/cmdline.html#envvar-PYTHONSTARTUP
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.018/T1546.018.md
- https://embracethered.com/blog/posts/2022/python-import-tricks-py-malware-persistence/
Unlock Pro Content
Get the full detection package for T1546.018 including response playbook, investigation guide, and atomic red team tests.