DET0258 Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018)

Item	Value
ID	DET0258
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.018 (Python Startup Hooks)

Analytics

Linux

AN0713

Defender observes unauthorized modification or creation of Python hook files such as .pth, sitecustomize.py, or usercustomize.py in Python site-packages, dist-packages, or user paths. This is often correlated with subsequent unexpected interpreter execution (e.g., python3 running without user interaction), changes in interpreter behavior (e.g., malicious imports), and outbound connections initiated from Python. Defender links write/modify actions on hook files with execve of python process and/or anomalous child process or network activity.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve: execve where exe=/usr/bin/python3 or similar interpreter
File Modification (DC0061)	auditd:PATH	write or create events on *.pth, sitecustomize.py, usercustomize.py in site-packages or dist-packages
File Metadata (DC0059)	auditd:CONFIG_CHANGE	chmod or chown of hook files indicating privilege escalation or execution permission change
Network Traffic Content (DC0085)	NSM:Flow	http::request: Outbound HTTP initiated by Python interpreter

Mutable Elements

Field	Description
HookFilePathPatterns	Absolute or regex paths to Python startup files (.pth, customize.py); vary by distro or virtual environment location
UserContext	Restrict alerts to non-root users, service accounts, or interactive shell sessions
TimeWindow	Correlate file modification and Python execution within short time span (default: 2–5 minutes)
InterpreterWhitelist	Filter out known legitimate Python executions tied to expected cron jobs or automation