1. Home
  2. Techniques
  3. Enterprise
  4. Event Triggered Execution
  5. Python Startup Hooks

Event Triggered Execution: Python Startup Hooks

ID Name
T1546.001 Change Default File Association
T1546.002 Screensaver
T1546.003 Windows Management Instrumentation Event Subscription
T1546.004 Unix Shell Configuration Modification
T1546.005 Trap
T1546.006 LC_LOAD_DYLIB Addition
T1546.007 Netsh Helper DLL
T1546.008 Accessibility Features
T1546.009 AppCert DLLs
T1546.010 AppInit DLLs
T1546.011 Application Shimming
T1546.012 Image File Execution Options Injection
T1546.013 PowerShell Profile
T1546.014 Emond
T1546.015 Component Object Model Hijacking
T1546.016 Installer Packages
T1546.017 Udev Rules
T1546.018 Python Startup Hooks

Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (.pth) files and the sitecustomize.py or usercustomize.py modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.[1]

Path configuration files are designed to extend Python’s module search paths through the use of import statements. If a .pth file is placed in Python's site-packages or dist-packages directories, any lines beginning with import will be executed automatically on Python invocation.[2] Similarly, if sitecustomize.py or usercustomize.py is present in the Python path, these files will be imported during interpreter startup, and any code they contain will be executed.[3]

Adversaries may abuse these mechanisms to establish persistence on systems where Python is widely used (e.g., for automation or scripting in production environments).

ID: T1546.018
Sub-technique of:  T1546
Platforms: Linux, Windows, macOS
Contributors: Pyae Heinn Kyaw, CSIRT @ Salesforce; Ruben Groenewoud (@RFGroenewoud)
Version: 1.0
Created: 22 May 2025
Last Modified: 21 October 2025
Version Permalink

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0258 Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018) AN0713

Defender observes unauthorized modification or creation of Python hook files such as .pth, sitecustomize.py, or usercustomize.py in Python site-packages, dist-packages, or user paths. This is often correlated with subsequent unexpected interpreter execution (e.g., python3 running without user interaction), changes in interpreter behavior (e.g., malicious imports), and outbound connections initiated from Python. Defender links write/modify actions on hook files with execve of python process and/or anomalous child process or network activity.

References

  1. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved May 22, 2025.
  2. Stephan Berger. (2025, January 14). Analysis of Python's .pth files as a persistence mechanism. Retrieved May 22, 2025.
  1. Python. (n.d.). site — Site-specific configuration hook. Retrieved May 22, 2025.