Detect Python Startup Hooks in Sumo Logic CSE
Adversaries may establish persistence by adding malicious content to Python startup hooks. Python offers several mechanisms that execute code when the interpreter starts. The PYTHONSTARTUP environment variable points to a Python script that executes in interactive mode before the first prompt. The usercustomize.py and sitecustomize.py files execute automatically when Python starts for all users (sitecustomize.py) or the current user (usercustomize.py). The PYTHONPATH and sys.path list directories where Python searches for modules — adversaries can inject malicious modules here. Additionally, .pth files in site-packages directories can execute arbitrary Python code on interpreter startup via import statements.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.018 Python Startup Hooks
- Canonical reference
- https://attack.mitre.org/techniques/T1546/018/
Sumo Detection Query
(_sourceCategory="endpoint/windows/sysmon" OR _sourceCategory="endpoint/linux/auditd" OR _sourceCategory="endpoint/linux/syslog")
| where (%"EventID" in ("11", "12", "13") OR eventtype in ("PATH", "SYSCALL") OR _raw matches /(?i)(sitecustomize|usercustomize|\.pth|PYTHONSTARTUP|PYTHONPATH)/)
| if ((%"EventID" == "11" OR eventtype == "PATH") AND (%"TargetFilename" matches /(?i)(sitecustomize\.py|usercustomize\.py|site\.py|sitecustomize\.pyc)$/ OR (%"TargetFilename" matches /(?i)(site-packages|dist-packages|lib\/python|lib\\python)/ AND %"TargetFilename" matches /\.pth$/)), 1, 0) as IsPythonStartupFile
| if ((%"EventID" in ("12", "13") AND (%"TargetObject" matches /PYTHONSTARTUP/ OR %"TargetObject" matches /PYTHONPATH/)), 1, 0) as IsPythonEnvReg
| if (IsPythonStartupFile == 1 AND !(toLowerCase(%"Image") matches /(pip|pip3|conda|poetry|venv|virtualenv|setup\.py|easy_install)/), 1, 0) as IsSuspiciousInstaller
| where IsPythonStartupFile == 1 OR IsPythonEnvReg == 1
| if (IsPythonEnvReg == 1 AND %"TargetObject" matches /PYTHONSTARTUP/, "PYTHONSTARTUP_ENV_SET",
if (IsPythonEnvReg == 1 AND %"TargetObject" matches /PYTHONPATH/, "PYTHONPATH_ENV_SET",
if (IsSuspiciousInstaller == 1 AND %"TargetFilename" matches /(?i)sitecustomize/, "SITECUSTOMIZE_MODIFIED",
if (IsPythonStartupFile == 1 AND %"TargetFilename" matches /\.pth$/, "PTH_FILE_CREATED",
"PYTHON_STARTUP_FILE_MODIFIED")))) as DetectionType
| fields _messageTime, %"Computer", %"User", %"EventID", DetectionType, %"TargetFilename", %"TargetObject", %"Image"
| sort by _messageTime descDetects Python persistence via startup hook manipulation including writes to sitecustomize.py, usercustomize.py, .pth files in Python directories, and PYTHONSTARTUP/PYTHONPATH environment variable changes in the Windows registry. Classifies events by detection type and filters out legitimate package managers.
Data Sources
Required Tables
False Positives & Tuning
- Python package installations via pip or conda that legitimately write sitecustomize.py or .pth manifest files to site-packages during package setup
- Developer environment configuration tools (pyenv, direnv, virtualenv) that set PYTHONPATH or PYTHONSTARTUP in registry or shell initialization files
- Enterprise software deployment systems that use Python and configure PYTHONPATH via Group Policy or registry to include additional module directories
Other platforms for T1546.018
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Malicious Code to sitecustomize.py
Expected signal: File modification event for sitecustomize.py in site-packages directory. Process creation for python3 being used to locate the site-packages path (reconnaissance). The payload executes on the next Python interpreter launch — file creation event for /tmp/python_startup_test.txt confirms execution.
- Test 2Set PYTHONSTARTUP Environment Variable to Malicious Script
Expected signal: File creation event for argus_pystartup.py in Temp. Sysmon Event ID 13: HKCU\Environment\PYTHONSTARTUP set to %TEMP%\argus_pystartup.py. On next interactive Python launch, the startup file executes and creates pystartup_executed.txt.
- Test 3Create Malicious .pth File in site-packages
Expected signal: File creation event for argus-test.pth in site-packages directory. The .pth file contains an import statement. On next Python startup, os.system executes the shell command — process creation for Python followed by child process for /bin/sh executing the os.system call.
References (5)
- https://attack.mitre.org/techniques/T1546/018/
- https://docs.python.org/3/library/site.html
- https://docs.python.org/3/using/cmdline.html#envvar-PYTHONSTARTUP
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.018/T1546.018.md
- https://embracethered.com/blog/posts/2022/python-import-tricks-py-malware-persistence/
Unlock Pro Content
Get the full detection package for T1546.018 including response playbook, investigation guide, and atomic red team tests.