Detect Python Startup Hooks in Splunk
Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.018 Python Startup Hooks
- Canonical reference
- https://attack.mitre.org/techniques/T1546/018/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
OR index=syslog sourcetype=linux_secure
| eval IsPythonStartupFile=if(
(EventCode=11 OR match(_raw, "type=PATH"))
AND (
match(coalesce(TargetFilename, source, ""), "(?i)(sitecustomize\.py|usercustomize\.py)")
OR (match(coalesce(TargetFilename, source, ""), "(?i)(site-packages|dist-packages)") AND match(coalesce(TargetFilename, source, ""), "\.pth$"))
),
1, 0
)
| eval IsPythonEnvReg=if(
(EventCode=12 OR EventCode=13)
AND match(TargetObject, "(PYTHONSTARTUP|PYTHONPATH)"),
1, 0
)
| eval IsSuspiciousInstaller=if(
IsPythonStartupFile=1
AND NOT match(lower(coalesce(Image, _raw, "")), "(pip|pip3|conda|poetry|venv|virtualenv|setup\.py|easy_install)"),
1, 0
)
| where IsPythonStartupFile=1 OR IsPythonEnvReg=1
| eval DetectionType=case(
IsPythonEnvReg=1 AND match(TargetObject, "PYTHONSTARTUP"), "PYTHONSTARTUP_ENV_SET",
IsPythonEnvReg=1 AND match(TargetObject, "PYTHONPATH"), "PYTHONPATH_ENV_SET",
IsSuspiciousInstaller=1 AND match(coalesce(TargetFilename, source, ""), "sitecustomize"), "SITECUSTOMIZE_MODIFIED",
IsPythonStartupFile=1 AND match(coalesce(TargetFilename, source, ""), "\.pth$"), "PTH_FILE_CREATED",
IsPythonStartupFile=1, "PYTHON_STARTUP_FILE_MODIFIED",
1=1, "PYTHON_HOOK_ACTIVITY"
)
| table _time, host, User, EventCode, DetectionType, coalesce(TargetFilename, source) as FilePath, TargetObject, Image
| sort - _timeCross-platform Python startup hook detection covering Windows (Sysmon) and Linux (auditd) sources. Categorizes: PYTHONSTARTUP_ENV_SET (registry env var pointing to arbitrary startup script), PYTHONPATH_ENV_SET (PYTHONPATH redirect), SITECUSTOMIZE_MODIFIED (sitecustomize.py modified by non-pip process), PTH_FILE_CREATED (.pth file added to site-packages by suspicious process). Higher confidence when the modifying process is not a known Python package manager.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Python package installation (pip, conda) modifying site-packages
- Virtual environment creation initializing site-packages
- Development tools (IPython, Jupyter, pytest) installing startup hooks
- System administrators configuring PYTHONPATH for shared installations
Other platforms for T1546.018
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Code to sitecustomize.py
Expected signal: File modification event for sitecustomize.py in site-packages directory. Process creation for python3 being used to locate the site-packages path (reconnaissance). The payload executes on the next Python interpreter launch — file creation event for /tmp/python_startup_test.txt confirms execution.
- Test 2Set PYTHONSTARTUP Environment Variable to Malicious Script
Expected signal: File creation event for argus_pystartup.py in Temp. Sysmon Event ID 13: HKCU\Environment\PYTHONSTARTUP set to %TEMP%\argus_pystartup.py. On next interactive Python launch, the startup file executes and creates pystartup_executed.txt.
- Test 3Create Malicious .pth File in site-packages
Expected signal: File creation event for argus-test.pth in site-packages directory. The .pth file contains an import statement. On next Python startup, os.system executes the shell command — process creation for Python followed by child process for /bin/sh executing the os.system call.
References (5)
- https://attack.mitre.org/techniques/T1546/018/
- https://docs.python.org/3/library/site.html
- https://docs.python.org/3/using/cmdline.html#envvar-PYTHONSTARTUP
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.018/T1546.018.md
- https://embracethered.com/blog/posts/2022/python-import-tricks-py-malware-persistence/
Unlock Pro Content
Get the full detection package for T1546.018 including response playbook, investigation guide, and atomic red team tests.