Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1546.018: Python Startup Hooks

Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.[1]

Path configuration files are designed to extend Python’s module search paths through the use of import statements. If a `.pth` file is placed in Python's `site-packages` or `dist-packages` directories, any lines beginning with `import` will be executed automatically on Python invocation.[2] Similarly, if `sitecustomize.py` or `usercustomize.py` is present in the Python path, these files will be imported during interpreter startup, and any code they contain will be executed.[3]

Adversaries may abuse these mechanisms to establish persistence on systems where Python is widely used (e.g., for automation or scripting in production environments).

EnterpriseT1546.018Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Python Startup Hooks matter because normal Python interpreter startup can become an automatic execution point. In environments where Python supports administration, automation, build processes, or production scripts, unexpected startup-hook files can turn routine Python use into persistence or privilege-escalation opportunity across Linux, macOS, and Windows systems.

Executive priority

Treat this as a control-validation issue for systems where Python is operationally important. Leaders should ask whether teams know where Python is installed, who can modify Python package/configuration paths, and whether file-integrity and endpoint telemetry can prove that startup-hook locations have not been altered. This is especially relevant for incident response readiness and audit evidence around persistence coverage, because ATT&CK provides no official detection text for this sub-technique.

Technical view

Validate Python startup-hook exposure on Linux, macOS, and Windows by inventorying Python installations and monitoring for unexpected changes to path configuration files and Python customization modules in interpreter search paths. The parent technique is Event Triggered Execution, so detection should focus on code that executes automatically when Python is invoked rather than only on interactive script execution. Relationship context shows DET0258 detects this object and is named for Linux Python startup-hook persistence via .pth and customize files, so teams should review that strategy where available while recognizing it may not fully cover macOS or Windows without local adaptation.

Likely telemetry

  • File creation, modification, and deletion events for Python site-packages or dist-packages locations
  • File integrity monitoring for .pth files, sitecustomize.py, and usercustomize.py
  • Endpoint process telemetry showing Python interpreter invocations and parent/child process context
  • Package-management or software-deployment logs that can explain legitimate Python path changes
  • User, privilege, and ownership metadata for accounts modifying Python directories

Detection direction

  • Establish a baseline of legitimate Python startup-hook files and alert on new or modified entries in monitored Python paths.
  • Prioritize changes made outside approved software installation, patching, or deployment windows.
  • Correlate Python startup-hook changes with subsequent Python execution, unusual parent processes, or privilege context changes.
  • Tune false positives for legitimate package installers and administrative automation that may create or update .pth files.
  • Address blind spots from unmanaged Python installations, user-local Python paths, containers or build agents, and systems where endpoint file telemetry is incomplete.

Mitigation priorities

  • Inventory Python installations and the directories processed during interpreter startup.
  • Restrict write access to Python site-packages, dist-packages, and customization-module locations to authorized administrators or deployment mechanisms.
  • Add file-integrity monitoring for Python startup-hook artifacts on systems where Python is used for operations or production automation.
  • Require change-control evidence for legitimate modifications to Python interpreter paths and package locations.
  • Include Python startup-hook checks in incident-response persistence triage and post-compromise validation.
Analyst notes and limits

The object is a sub-technique of T1546 Event Triggered Execution and is mapped to persistence and privilege-escalation. The official ATT&CK entry describes .pth files, sitecustomize.py, and usercustomize.py as the relevant startup mechanisms. The supplied relationship to DET0258 provides useful detection-strategy context, but the related strategy name is Linux-specific while this ATT&CK object lists Linux, macOS, and Windows.

Official detection guidance is not provided in the supplied ATT&CK fields. This take does not assert active exploitation, attribution, or guaranteed detection coverage. Local Python deployment models, interpreter paths, endpoint logging, and administrative workflows are required to determine practical risk and detection quality.

Official MITRE ATT&CK definition

Python Startup Hooks

Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.[1]

Path configuration files are designed to extend Python’s module search paths through the use of import statements. If a `.pth` file is placed in Python's `site-packages` or `dist-packages` directories, any lines beginning with `import` will be executed automatically on Python invocation.[2] Similarly, if `sitecustomize.py` or `usercustomize.py` is present in the Python path, these files will be imported during interpreter startup, and any code they contain will be executed.[3]

Adversaries may abuse these mechanisms to establish persistence on systems where Python is widely used (e.g., for automation or scripting in production environments).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546 Event Triggered Execution This object subtechnique of Event Triggered Execution.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1546: Event Triggered Execution Enterprise detects · Detection Strategy DET0258: Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018) Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
81d4b0989125c8cb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 81d4b0989125…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Volexity GlobalProtect CVE 2024

    Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved May 22, 2025.

    Open source URL
  2. [2]
    DFIR Python Persistence 2025

    Stephan Berger. (2025, January 14). Analysis of Python's .pth files as a persistence mechanism. Retrieved May 22, 2025.

    Open source URL
  3. [3]
    Python Site Configuration Hook

    Python. (n.d.). site — Site-specific configuration hook. Retrieved May 22, 2025.

    Open source URL
  4. [4]
    mitre-attack T1546.018
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use