AN0174: Analytic 0174
Detects Python execution from non-standard user contexts or cron jobs that invoke outbound traffic, access sensitive files, or perform process injection (e.g., ptrace or /proc memory maps).
Analyst context for executives and security teams
This analytic matters because unexpected Python activity on Linux can be a practical signal of automation abuse, unauthorized scripting, or post-compromise behavior, especially when it runs from unusual user contexts or cron and then reaches out to the network, touches sensitive files, or interacts with process memory. For leaders, the value is not that “Python is bad,” but whether the organization can distinguish approved administration and scheduled jobs from behavior that may require incident response.
Executive priority
Prioritize this as a Linux monitoring and operational resilience validation item. Security leaders should ask whether SOC teams have visibility into cron-driven execution, user context, outbound connections, sensitive file access, and process-memory interaction on Linux systems. The business decision is whether current logging and triage processes can provide timely evidence when Python-based activity appears outside expected administrative patterns.
Technical view
For SOC, detection engineering, and IR teams, validate whether Linux telemetry can correlate Python process execution with parent context, user identity, cron invocation, outbound network activity, sensitive file access, and indicators of process injection such as ptrace use or access to /proc memory maps. Because no official detection logic is provided, teams should develop environment-specific baselines for approved Python automation, service accounts, and scheduled jobs before alerting on deviations.
Likely telemetry
- Linux process creation events including command line, parent process, user, working directory, and executable path
- Cron job execution records and scheduled task configuration changes
- Outbound network connection metadata associated with Python processes
- File access telemetry for sensitive files relevant to the local Linux environment
- Audit or endpoint telemetry for ptrace activity and access to /proc memory maps
Detection direction
- Baseline legitimate Python usage by administrators, applications, service accounts, and cron jobs before treating unusual context as suspicious.
- Correlate Python execution with multiple risk signals: non-standard user context, cron origin, outbound traffic, sensitive file access, or process-memory interaction.
- Tune out known maintenance scripts and application workloads to reduce false positives, while preserving visibility into new or changed cron-driven Python activity.
- Validate that telemetry links process, user, parent process, network, and file-access events; isolated logs may be insufficient for confident triage.
- Because no ATT&CK relationship context or formal detection logic is supplied, avoid mapping this analytic to unsupported tactics or assuming broad behavioral coverage.
Mitigation priorities
- Inventory approved Python automation and cron jobs on Linux systems, including owners and expected network/file access patterns.
- Restrict unnecessary privileged access for service accounts and scheduled jobs where operationally feasible.
- Ensure Linux endpoint, audit, and network logging are retained long enough to support incident response reconstruction.
- Review controls around sensitive file access and process inspection capabilities such as ptrace based on business need.
- Use detections as a validation point for managed detection, IR readiness, and compliance evidence around Linux monitoring coverage.
Analyst notes and limits
This object is a detection analytic for Linux only. The supplied description focuses on Python execution from unusual user contexts or cron jobs combined with outbound traffic, sensitive file access, or process injection indicators. There are no supplied tactics, relationships, aliases, or official detection implementation details, so the take emphasizes validation and tuning rather than a prescriptive rule.
The source does not provide detection logic, ATT&CK tactic mapping, related techniques, observed adversary use, or platform coverage beyond Linux. Local baselines are required to distinguish legitimate administration and application automation from suspicious Python behavior.
Analytic 0174
Detects Python execution from non-standard user contexts or cron jobs that invoke outbound traffic, access sensitive files, or perform process injection (e.g., ptrace or /proc memory maps).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 952669de71d6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0174Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.