AN0713: Analytic 0713
Defender observes unauthorized modification or creation of Python hook files such as `.pth`, `sitecustomize.py`, or `usercustomize.py` in Python `site-packages`, `dist-packages`, or user paths. This is often correlated with subsequent unexpected interpreter execution (e.g., python3 running without user interaction), changes in interpreter behavior (e.g., malicious imports), and outbound connections initiated from Python. Defender links write/modify actions on hook files with execve of python process and/or anomalous child process or network activity.
Analyst context for executives and security teams
This analytic matters because changes to Python startup hook files on Linux can quietly alter how Python behaves whenever the interpreter runs. For a business leader, the risk is not the file change alone; it is whether trusted automation, developer tooling, or server-side Python processes can be turned into an unexpected execution path with outbound activity. The practical decision is whether the organization can prove it monitors sensitive Python paths and can connect file modification, interpreter execution, child processes, and network behavior during an investigation.
Executive priority
Prioritize this where Linux systems rely on Python for administration, applications, CI/CD, data workflows, or security tooling. Leaders should ask whether SOC and IR teams have evidence for unauthorized writes to Python hook locations and whether that evidence is retained long enough to support incident scoping and audit response. This is also a control-validation issue: file integrity monitoring, endpoint telemetry, and network visibility need to line up, or the organization may see the later suspicious Python activity without knowing what changed first.
Technical view
For Linux, validate monitoring for creation or modification of Python hook files such as .pth, sitecustomize.py, and usercustomize.py in site-packages, dist-packages, and user paths. Correlate those write events with subsequent execve of python or python3, unexpected interpreter execution without clear user interaction, anomalous child processes, changed import behavior, or outbound connections initiated by Python. Because ATT&CK provides no separate detection logic and no relationship context for this analytic, implementation should be based on local Python installation paths, package-management workflows, developer activity, and baseline interpreter behavior.
Likely telemetry
- Linux file creation and modification events for Python package and user paths
- File integrity monitoring for .pth, sitecustomize.py, and usercustomize.py
- Process execution telemetry including execve for python and python3
- Parent-child process telemetry for Python-launched child processes
- Network connection telemetry showing outbound connections initiated by Python processes
Detection direction
- Inventory Python site-packages, dist-packages, and user-level package paths on Linux systems before writing rules; path coverage is likely to vary by distribution, Python version, virtual environment, and application deployment model.
- Alert on new or modified Python hook files, then raise priority when followed by unexpected python/python3 execution, anomalous child processes, or outbound network activity.
- Tune for legitimate package installation, administrative maintenance, CI/CD jobs, and developer workflows to reduce false positives without suppressing unauthorized writes in production or privileged contexts.
- Correlate file-write identity, process lineage, and later interpreter behavior; a file event without process context may be insufficient for confident triage.
- Check blind spots around user paths, virtual environments, containers or ephemeral hosts if they exist in the Linux estate, because the supplied analytic is platform-specific but does not enumerate all deployment patterns.
Mitigation priorities
- Establish an approved baseline of Python hook files and package paths on Linux systems that matter to production, administration, or security operations.
- Restrict write permissions to Python package and hook locations to authorized administrators, package managers, or deployment processes.
- Use file integrity monitoring or endpoint controls to flag unauthorized creation or modification of the named hook files.
- Ensure process and network telemetry can connect Python execution to the preceding file modification event during incident response.
- Review exceptions periodically so legitimate development and package-management activity does not create unmanaged detection gaps.
Analyst notes and limits
The supplied object is a detection analytic, not a technique entry. It specifies Linux and Python hook-file modification correlated with Python execution, child-process, or network behavior. No ATT&CK tactics, relationships, aliases, or official detection content were supplied, so the take focuses on defensive validation rather than attribution or threat behavior beyond the provided description.
This assessment is limited to the official STIX fields, external reference, and absence of supplied relationships. It does not establish active exploitation, affected products, actor usage, business impact, or guaranteed detection coverage. Local path inventories, telemetry availability, and normal Python usage patterns are required to operationalize it.
Analytic 0713
Defender observes unauthorized modification or creation of Python hook files such as `.pth`, `sitecustomize.py`, or `usercustomize.py` in Python `site-packages`, `dist-packages`, or user paths. This is often correlated with subsequent unexpected interpreter execution (e.g., python3 running without user interaction), changes in interpreter behavior (e.g., malicious imports), and outbound connections initiated from Python. Defender links write/modify actions on hook files with execve of python process and/or anomalous child process or network activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 75d10b4df994… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0713Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.