AN0173: Analytic 0173
Detects native Python or framework-based execution from Terminal, embedded apps, or launchd jobs. Flags network calls, persistence writes, or system enumeration after Python launch.
Analyst context for executives and security teams
AN0173 is a macOS detection analytic focused on Python execution that becomes suspicious when followed by network activity, persistence writes, or system enumeration. For leaders, the value is not “Python is bad”; it is confirming whether the organization can distinguish normal developer/admin automation from interpreter-driven activity that may support persistence, discovery, or command-and-control style behavior on Macs.
Executive priority
Prioritize this as a macOS endpoint visibility and response-readiness question. Security leaders should ask whether SOC teams can see Python launched from Terminal, embedded applications, and launchd jobs, and whether that activity can be correlated with follow-on network calls, persistence-related writes, or enumeration. This supports business continuity by reducing blind spots on managed Macs, provides audit evidence for endpoint monitoring coverage, and helps avoid over-investing in alerts that cannot be triaged due to missing process, file, or network context.
Technical view
Validate macOS telemetry for native Python or framework-based Python execution, especially parent contexts of Terminal, embedded apps, and launchd. Because the official object does not provide a concrete detection query, teams should build coverage around behavioral correlation: Python launch plus subsequent network connection, persistence write, or system-enumeration activity. Tuning should account for legitimate developer workflows, administrative scripts, endpoint management tooling, and scheduled automation.
Likely telemetry
- macOS process creation events including executable path, command line, parent process, user, and timestamp
- Parent/launcher context for Terminal, embedded applications, and launchd jobs
- Network connection events initiated by Python processes
- File write or configuration-change telemetry related to persistence mechanisms
- System enumeration evidence such as process, system, account, or host information collection commands or API activity
Detection direction
- Confirm that Python execution is visible across the supported platform: macOS.
- Correlate Python launch events with follow-on network calls, persistence writes, or system enumeration rather than alerting on interpreter use alone.
- Baseline expected developer, administrator, and management-tool Python activity to reduce false positives.
- Pay special attention to Python launched by launchd or embedded applications, because these parent contexts can be missed if telemetry only tracks interactive shell use.
- Document gaps where command-line, parent-process, file-write, or network telemetry is absent; those gaps materially limit this analytic.
Mitigation priorities
- Inventory legitimate Python use on macOS systems and identify approved automation paths.
- Apply change control and monitoring around launchd jobs and persistence-related writes.
- Ensure endpoint monitoring captures process, file, and network context needed for triage.
- Use least-privilege and administrative control practices to limit unnecessary ability to create persistence or run unmanaged automation.
- Provide SOC runbooks that distinguish expected Python workflows from suspicious correlated behavior.
Analyst notes and limits
This object is a detection analytic, not a technique description. ATT&CK supplies macOS as the platform and describes the analytic behavior, but does not provide tactics, relationships, aliases, or an official detection query. Treat this as a coverage-validation prompt for macOS endpoint monitoring rather than a complete rule.
No relationship context, tactic mapping, detection logic, procedure examples, attribution, or exploitation claims were supplied. Local baselining is required to determine what Python execution is normal in a given environment.
Analytic 0173
Detects native Python or framework-based execution from Terminal, embedded apps, or launchd jobs. Flags network calls, persistence writes, or system enumeration after Python launch.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 87af7b98e27e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0173Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.