AN0172: Analytic 0172
Detects Python execution via python.exe or py.exe with anomalous parent lineage (e.g., Office macros, LOLBAS), execution from unusual directories, or chained network/PowerShell/system-level activity.
Analyst context for executives and security teams
AN0172 is a Windows detection analytic focused on suspicious Python launcher or interpreter use, especially when python.exe or py.exe appears under unusual parent processes such as Office macro activity or LOLBAS-style execution, runs from uncommon directories, or is followed by network, PowerShell, or system-level activity. For leaders, the practical issue is not Python itself; it is whether the organization can distinguish legitimate scripting from Python being used as a flexible execution layer in a suspicious chain.
Executive priority
Prioritize this analytic where Windows endpoints allow Python or where users can introduce interpreters outside managed software channels. It supports business resilience by testing whether SOC and IR teams can quickly answer: who launched Python, from where, under what parent process, and what happened next. It is also useful evidence for control reviews around endpoint visibility, application governance, macro risk, and response readiness.
Technical view
Validate Windows process telemetry for python.exe and py.exe, including parent process lineage, command line, working directory or image path, user context, and follow-on child processes. The analytic is most decision-useful when correlated with suspicious parents such as Office applications or LOLBAS-associated binaries, execution from unusual directories, and chained activity involving network connections, PowerShell, or system-level tooling. Because no official detection logic is supplied, teams should implement this as a behavior-based correlation and tune against approved developer, automation, and administrative Python usage.
Likely telemetry
- Windows process creation events with image name, command line, parent process, user, and path
- Parent-child process lineage for Office applications, LOLBAS-related binaries, PowerShell, and system utilities
- File path or execution directory context for python.exe and py.exe
- Network connection telemetry tied to the Python process where available
- PowerShell execution telemetry following or related to Python activity
Detection direction
- Baseline legitimate Python use by developers, administrators, automation tools, and packaged applications before alerting broadly.
- Alert on python.exe or py.exe launched by unusual parents, especially Office applications or LOLBAS-style binaries, when supported by local process telemetry.
- Increase severity when Python execution occurs from unusual directories or is followed by network, PowerShell, or system-level activity.
- Tune false positives for sanctioned software distributions, build systems, data science tools, and enterprise automation.
- Check for blind spots where command-line logging, parent process capture, network-to-process attribution, or PowerShell telemetry is missing.
Mitigation priorities
- Inventory where Python is approved on Windows endpoints and restrict unmanaged interpreter installation or execution where business use does not require it.
- Harden macro and script execution pathways that could launch interpreters from Office or similar user-facing applications.
- Use application control or allowlisting policies where feasible to constrain Python execution paths and approved parent-child relationships.
- Ensure EDR or endpoint logging captures process lineage, command line, path, and related network or PowerShell activity.
- Prepare IR playbooks to triage suspicious Python execution by user, host role, parent process, directory, and follow-on activity.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify Windows as the platform and describe suspicious Python execution patterns, but no tactics, relationships, or official detection query are provided. Treat it as a validation target for endpoint visibility and behavior correlation rather than a complete detection rule.
Assessment is limited to the official description, platform, external reference, and absence of relationship context. No active exploitation, actor attribution, impact, prevalence, or guaranteed detection coverage can be inferred from the supplied object.
Analytic 0172
Detects Python execution via python.exe or py.exe with anomalous parent lineage (e.g., Office macros, LOLBAS), execution from unusual directories, or chained network/PowerShell/system-level activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0be7e121f996… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0172Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.