Generated docs from job=generate-docs branch=master [ci skip]

2026-01-07 12:51:40 +00:00
parent 9ee4c5c6a6
commit 04fea5a5fc
36 changed files with 796 additions and 61 deletions
@@ -927,6 +927,9 @@ privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquo
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
 privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
@@ -1404,6 +1407,9 @@ persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
@@ -181,6 +181,7 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
 persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -271,6 +272,7 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook Execution via .pth (Linux),85f21c19-18ef-4450-98d8-05bb7b0e1887,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
 privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -114,6 +114,7 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
@@ -181,6 +182,7 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
 privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook Execution via .pth (macOS),858b4aed-d76f-443d-a801-5454ea56dee0,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
 privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
@@ -649,6 +649,7 @@ privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
 privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
@@ -995,6 +996,7 @@ persistence,T1546.015,Event Triggered Execution: Component Object Model Hijackin
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
 persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
 persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook Execution via .pth (Windows),b4773c6b-3aa0-44a2-830a-b6ff594a0fb2,powershell
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
@@ -228,7 +228,7 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -348,7 +348,7 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -230,7 +230,7 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -351,7 +351,7 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1226,7 +1226,10 @@
  - Atomic Test #2: Add launch script to launch daemon [macos]
  - Atomic Test #3: Add launch script to launch agent [macos]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
+  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -1874,7 +1877,10 @@
  - Atomic Test #3: Add launch script to launch agent [macos]
 - T1671 Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
+  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
+  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1197 BITS Jobs](../../T1197/T1197.md)
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
@@ -326,7 +326,8 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -464,7 +465,8 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #2: Python Startup Hook Execution via .pth (Linux) [linux]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -284,7 +284,8 @@
 - T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -411,7 +412,8 @@
 - T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #3: Python Startup Hook Execution via .pth (macOS) [macos]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -875,7 +875,8 @@
 - [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -1338,7 +1339,8 @@
 - [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
  - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
+  - Atomic Test #1: Python Startup Hook Execution via .pth (Windows) [windows]
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1197 BITS Jobs](../../T1197/T1197.md)
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
@@ -27,7 +27,7 @@
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
@@ -37,7 +37,7 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Overwrite Process Arguments [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) |  | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Bind Mounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -31,7 +31,7 @@
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  |  | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  |  |  | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  |  |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -40,7 +40,7 @@
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) |  | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
@@ -82,7 +82,7 @@
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
 |  |  | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) |  |  |  |  |  |  |  |
 |  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution](../../T1546/T1546.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -94,7 +94,7 @@
 |  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [BITS Jobs](../../T1197/T1197.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -59,7 +59,7 @@
 |  |  | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Account Manipulation](../../T1098/T1098.md) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) |  |  |  |  |  |  |  |
-|  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) |  |  |  |  |  |  |  |
@@ -70,7 +70,7 @@
 |  |  | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | [Create Process with Token](../../T1134.002/T1134.002.md) |  |  |  |  |  |  |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
-|  |  | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [BITS Jobs](../../T1197/T1197.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -20753,7 +20753,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20789,6 +20789,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32773,7 +32774,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32809,6 +32810,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20411,7 +20411,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20447,6 +20447,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32210,7 +32211,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32246,6 +32247,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20062,7 +20062,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20098,6 +20098,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31494,7 +31495,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31530,6 +31531,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20120,7 +20120,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20156,6 +20156,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31610,7 +31611,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31646,6 +31647,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20062,7 +20062,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20098,6 +20098,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31494,7 +31495,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31530,6 +31531,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20554,7 +20554,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20590,6 +20590,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32225,7 +32226,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32261,6 +32262,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20440,7 +20440,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20476,6 +20476,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -32114,7 +32115,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32150,6 +32151,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20349,7 +20349,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20385,6 +20385,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31972,7 +31973,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -32008,6 +32009,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -46275,7 +46275,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -46311,7 +46311,129 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (Windows)
+      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Windows.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_name:
+          description: Executable to launch
+          type: string
+          default: calc.exe
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
+          { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Python not found. Please install it from
+          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
+          New-Item -ItemType Directory -Path $TempDir | Out-Null
+          Set-Location $TempDir
+          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
+          & "#{python_path}" -m venv env
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+        cleanup_command: |
+          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
+          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
+            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
+            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
+            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
+    - name: Python Startup Hook Execution via .pth (Linux)
+      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Linux.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using your
+          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
+          python3'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
+        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
+          /tmp/atomic_python_hook_path.txt
+
+          '
+    - name: Python Startup Hook Execution via .pth (macOS)
+      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+        cleanup_command: |
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
  T1037.003:
    technique:
      type: attack-pattern
@@ -71751,7 +71873,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -71787,7 +71909,129 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (Windows)
+      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Windows.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_name:
+          description: Executable to launch
+          type: string
+          default: calc.exe
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
+          { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Python not found. Please install it from
+          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
+          New-Item -ItemType Directory -Path $TempDir | Out-Null
+          Set-Location $TempDir
+          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
+          & "#{python_path}" -m venv env
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+        cleanup_command: |
+          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
+          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
+            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
+            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
+            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
+    - name: Python Startup Hook Execution via .pth (Linux)
+      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Linux.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using your
+          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
+          python3'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
+        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
+          /tmp/atomic_python_hook_path.txt
+
+          '
+    - name: Python Startup Hook Execution via .pth (macOS)
+      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+        cleanup_command: |
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
  T1037.003:
    technique:
      type: attack-pattern
@@ -24931,7 +24931,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -24967,7 +24967,44 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (Linux)
+      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Linux.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using your
+          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
+          python3'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
+        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
+          /tmp/atomic_python_hook_path.txt
+
+          '
  T1037.003:
    technique:
      type: attack-pattern
@@ -38569,7 +38606,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -38605,7 +38642,44 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (Linux)
+      auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Linux.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using your
+          package manager (e.g., ''sudo apt install python3'' or ''sudo yum install
+          python3'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
+        cleanup_command: 'rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f
+          /tmp/atomic_python_hook_path.txt
+
+          '
  T1037.003:
    technique:
      type: attack-pattern
@@ -23078,7 +23078,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -23114,7 +23114,47 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (macOS)
+      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+        cleanup_command: |
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
  T1037.003:
    technique:
      type: attack-pattern
@@ -35615,7 +35655,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -35651,7 +35691,47 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (macOS)
+      auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on macOS.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        exe_name:
+          description: App to launch
+          type: string
+          default: Calculator
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python3
+      dependency_executor_name: bash
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: command -v
+        get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
+          (''brew install python'') or the macOS developer tools (''xcode-select --install'')."
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          PYTHON_EXE=$(command -v #{python_path})
+          TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+          echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+          $PYTHON_EXE -m venv "$TEMPDIR/env"
+          SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+          echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+          "$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+        cleanup_command: |
+          pkill "#{exe_name}" || true
+          [ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
  T1037.003:
    technique:
      type: attack-pattern
@@ -20243,7 +20243,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20279,6 +20279,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31726,7 +31727,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31762,6 +31763,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -20062,7 +20062,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -20098,6 +20098,7 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -31494,7 +31495,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -31530,6 +31531,7 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
+      identifier: T1546.018
    atomic_tests: []
  T1037.003:
    technique:
@@ -38012,7 +38012,7 @@ privilege-escalation:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -38048,7 +38048,54 @@ privilege-escalation:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (Windows)
+      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Windows.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_name:
+          description: Executable to launch
+          type: string
+          default: calc.exe
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
+          { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Python not found. Please install it from
+          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
+          New-Item -ItemType Directory -Path $TempDir | Out-Null
+          Set-Location $TempDir
+          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
+          & "#{python_path}" -m venv env
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+        cleanup_command: |
+          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
+          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
+            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
+            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
+            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
  T1037.003:
    technique:
      type: attack-pattern
@@ -58924,7 +58971,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-10-21T02:35:20.850Z'
-      name: Python Startup Hooks
+      name: 'Event Triggered Execution: Python Startup Hooks'
      description: "Adversaries may achieve persistence by leveraging Python’s startup
        mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
        or `usercustomize.py` modules. These files are automatically processed during
@@ -58960,7 +59007,54 @@ persistence:
      - macOS
      - Windows
      x_mitre_version: '1.0'
-    atomic_tests: []
+      identifier: T1546.018
+    atomic_tests:
+    - name: Python Startup Hook Execution via .pth (Windows)
+      auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
+      description: 'Creates a Python startup hook using a .pth file inside a virtual
+        environment on Windows.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_name:
+          description: Executable to launch
+          type: string
+          default: calc.exe
+        python_path:
+          description: Path to Python interpreter
+          type: path
+          default: python.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Ensure Python is installed
+        prereq_command: 'if (Get-Command #{python_path} -ErrorAction SilentlyContinue)
+          { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'Write-Host "Python not found. Please install it from
+          https://www.python.org/downloads/windows/ or via ''winget install Python.Python.3''"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
+          New-Item -ItemType Directory -Path $TempDir | Out-Null
+          Set-Location $TempDir
+          Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
+          & "#{python_path}" -m venv env
+          $SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+          "import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+          & "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+        cleanup_command: |
+          Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
+          if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
+            $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
+            Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
+            Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
  T1037.003:
    technique:
      type: attack-pattern
@@ -0,0 +1,193 @@
+# T1546.018 - Event Triggered Execution: Python Startup Hooks
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/018)
+<blockquote>
+
+Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.(Citation: Volexity GlobalProtect CVE 2024)
+
+Path configuration files are designed to extend Python’s module search paths through the use of import statements. If a `.pth` file is placed in Python's `site-packages` or `dist-packages` directories, any lines beginning with `import` will be executed automatically on Python invocation.(Citation: DFIR Python Persistence 2025) Similarly, if `sitecustomize.py` or `usercustomize.py` is present in the Python path, these files will be imported during interpreter startup, and any code they contain will be executed.(Citation: Python Site Configuration Hook)
+
+Adversaries may abuse these mechanisms to establish persistence on systems where Python is widely used (e.g., for automation or scripting in production environments).  
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Python Startup Hook Execution via .pth (Windows)](#atomic-test-1---python-startup-hook-execution-via-pth-windows)
+
+- [Atomic Test #2 - Python Startup Hook Execution via .pth (Linux)](#atomic-test-2---python-startup-hook-execution-via-pth-linux)
+
+- [Atomic Test #3 - Python Startup Hook Execution via .pth (macOS)](#atomic-test-3---python-startup-hook-execution-via-pth-macos)
+
+
+<br/>
+
+## Atomic Test #1 - Python Startup Hook Execution via .pth (Windows)
+Creates a Python startup hook using a .pth file inside a virtual environment on Windows.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_name | Executable to launch | string | calc.exe|
+| python_path | Path to Python interpreter | path | python.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$TempDir = Join-Path $env:TEMP ("atomic_python_hook_" + [guid]::NewGuid())
+New-Item -ItemType Directory -Path $TempDir | Out-Null
+Set-Location $TempDir
+Set-Content -Path "$env:TEMP\atomic_python_hook_path.txt" -Value $TempDir
+& "#{python_path}" -m venv env
+$SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
+"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['#{exe_name}']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
+& "$TempDir\env\Scripts\python.exe" -c "print('Interpreter started')"
+```
+
+#### Cleanup Commands:
+```powershell
+Get-Process CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force
+if (Test-Path "$env:TEMP\atomic_python_hook_path.txt") {
+  $TempDir = Get-Content "$env:TEMP\atomic_python_hook_path.txt"
+  Remove-Item -Recurse -Force $TempDir -ErrorAction SilentlyContinue
+  Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Ensure Python is installed
+##### Check Prereq Commands:
+```powershell
+if (Get-Command #{python_path} -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "Python not found. Please install it from https://www.python.org/downloads/windows/ or via 'winget install Python.Python.3'"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Python Startup Hook Execution via .pth (Linux)
+Creates a Python startup hook using a .pth file inside a virtual environment on Linux.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 85f21c19-18ef-4450-98d8-05bb7b0e1887
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| python_path | Path to Python interpreter | path | python3|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+PYTHON_EXE=$(command -v #{python_path})
+TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+$PYTHON_EXE -m venv "$TEMPDIR/env"
+SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+echo "import sys, os; (not hasattr(sys, 'hook_run')) and (setattr(sys, 'hook_run', True) or os.system('cat /etc/passwd'))" > "$SITE_PACKAGES/atomic_hook.pth"
+```
+
+#### Cleanup Commands:
+```bash
+rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Ensure Python is installed
+##### Check Prereq Commands:
+```bash
+command -v
+```
+##### Get Prereq Commands:
+```bash
+echo "Python3 not found. Please install it using your package manager (e.g., 'sudo apt install python3' or 'sudo yum install python3')."
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Python Startup Hook Execution via .pth (macOS)
+Creates a Python startup hook using a .pth file inside a virtual environment on macOS.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 858b4aed-d76f-443d-a801-5454ea56dee0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_name | App to launch | string | Calculator|
+| python_path | Path to Python interpreter | path | python3|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+PYTHON_EXE=$(command -v #{python_path})
+TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XXXXXX)
+echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
+$PYTHON_EXE -m venv "$TEMPDIR/env"
+SITE_PACKAGES=$("$TEMPDIR/env/bin/python" -c "import site; print(site.getsitepackages()[0])")
+echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
+"$TEMPDIR/env/bin/python" -c "print('Interpreter started')"
+```
+
+#### Cleanup Commands:
+```bash
+pkill "#{exe_name}" || true
+[ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Ensure Python is installed
+##### Check Prereq Commands:
+```bash
+command -v
+```
+##### Get Prereq Commands:
+```bash
+echo "Python3 not found. Please install it using Homebrew ('brew install python') or the macOS developer tools ('xcode-select --install')."
+```
+
+
+
+
+<br/>
@@ -2,6 +2,7 @@ attack_technique: T1546.018
 display_name: "Event Triggered Execution: Python Startup Hooks"
 atomic_tests:
  - name: "Python Startup Hook Execution via .pth (Windows)"
+    auto_generated_guid: b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
    description: |
      Creates a Python startup hook using a .pth file inside a virtual environment on Windows.
    supported_platforms:
@@ -42,6 +43,7 @@ atomic_tests:
          Remove-Item "$env:TEMP\atomic_python_hook_path.txt" -Force }

  - name: "Python Startup Hook Execution via .pth (Linux)"
+    auto_generated_guid: 85f21c19-18ef-4450-98d8-05bb7b0e1887
    description: |
      Creates a Python startup hook using a .pth file inside a virtual environment on Linux.
    supported_platforms:
@@ -71,6 +73,7 @@ atomic_tests:
        rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt

  - name: "Python Startup Hook Execution via .pth (macOS)"
+    auto_generated_guid: 858b4aed-d76f-443d-a801-5454ea56dee0
    description: |
      Creates a Python startup hook using a .pth file inside a virtual environment on macOS.
    supported_platforms:
@@ -1786,3 +1786,6 @@ d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
 c63bbe52-6f17-4832-b221-f07ba8b1736f
 98f19852-7348-4f99-9e15-6ff4320464c7
 42111a6f-7e7f-482c-9b1b-3cfd090b999c
+b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
+85f21c19-18ef-4450-98d8-05bb7b0e1887
+858b4aed-d76f-443d-a801-5454ea56dee0