Event Triggered Execution: Python Startup Hooks

Other sub-techniques of Event Triggered Execution (18)

ID	Name
ATAGS-T1069.001	Accessibility Features
ATAGS-T1069.002	AppCert DLLs
ATAGS-T1069.003	AppInit DLLs
ATAGS-T1069.004	Application Shimming
ATAGS-T1069.005	Change Default File Association
ATAGS-T1069.006	Component Object Model Hijacking
ATAGS-T1069.007	Emond
ATAGS-T1069.008	Image File Execution Options Injection
ATAGS-T1069.009	Installer Packages
ATAGS-T1069.010	LC_LOAD_DYLIB Addition
ATAGS-T1069.011	Netsh Helper DLL
ATAGS-T1069.012	PowerShell Profile
ATAGS-T1069.013	Python Startup Hooks
ATAGS-T1069.014	Screensaver
ATAGS-T1069.015	Trap
ATAGS-T1069.016	Udev Rules
ATAGS-T1069.017	Unix Shell Configuration Modification
ATAGS-T1069.018	Windows Management Instrumentation Event Subscription

Threat Actors may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (.pth) files and the sitecustomize.py or usercustomize.pymodules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.

ID: ATAGS-T1069.013

Sub-technique of: ATAGS-T1069

ⓘ

Tactic: Persistence

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.