Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0063: Cross-Platform Behavioral Detection of Python Execution

DET0063 is a MITRE ATT&CK detection strategy for identifying Python execution behavior across environments. Its business value is that Python is a common,...

EnterpriseDET0063Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0063 is a MITRE ATT&CK detection strategy for identifying Python execution behavior across environments. Its business value is that Python is a common, legitimate administrative and development tool, but ATT&CK also maps it to adversary execution behavior under T1059.006. For leaders, the practical question is not whether Python exists, but whether the organization can distinguish expected Python use from unusual execution that may affect incident response speed, SOC triage quality, and control assurance.

Executive priority

Prioritize this as a visibility and governance issue where Python is present on ESXi, Linux, macOS, or Windows systems. Security leaders should ask which business units and systems legitimately require Python, whether SOC telemetry can show where and how Python runs, and whether exceptions are documented for audit and incident decision-making. Because the supplied ATT&CK object has no official detection logic or platform list of its own, investment decisions should be based on local exposure, asset criticality, and the related ATT&CK Python execution technique.

Technical view

The strategy is linked to ATT&CK technique T1059.006, Python, under the execution tactic. SOC and detection engineering teams should validate visibility into Python interpreter and script execution on the related platforms: ESXi, Linux, macOS, and Windows. Since no official detection text is supplied for DET0063, teams should avoid assuming coverage and instead test whether endpoint, process, command-line, script, and asset context can support behavioral analysis of Python use versus approved administration or development activity.

Likely telemetry

  • Process execution events for Python interpreters and compiled Python-based executables
  • Command-line arguments and parent/child process relationships
  • Script file execution or file creation metadata for .py content where collected
  • Endpoint telemetry from ESXi, Linux, macOS, and Windows where Python may run
  • User, host, and asset context to separate expected administrative or development use from unusual execution

Detection direction

  • Validate that telemetry exists before tuning detections; DET0063 does not provide official detection logic in the supplied fields.
  • Baseline legitimate Python use by host role, user role, and administrative workflow to reduce false positives.
  • Look for unusual Python execution context, especially unexpected parent processes, command-line use, or execution on systems where Python is not expected, while avoiding claims of maliciousness without corroboration.
  • Correlate Python execution with the related ATT&CK execution behavior T1059.006 and with local incident context rather than treating all Python activity as suspicious.
  • Check platform blind spots across ESXi, Linux, macOS, and Windows, since collection depth and process visibility often differ by operating environment.

Mitigation priorities

  • Establish an inventory of where Python is installed or required and assign business ownership for legitimate use.
  • Define policy expectations for Python use on servers, workstations, and administrative systems based on role and criticality.
  • Improve endpoint and process telemetry coverage before relying on behavioral detection outcomes.
  • Use access control, administrative hygiene, and change management to reduce unapproved interpreter use where business need is absent.
  • Document approved exceptions and monitoring coverage to support audit readiness and incident response decisions.
Analyst notes and limits

This take is based on the ATT&CK detection strategy object DET0063 and its relationship to T1059.006, Python. The supplied object does not include an official description, official detection logic, tactics, or platforms; platform and tactic context comes from the related Python technique only. Local environment knowledge is required to decide what Python activity is normal.

The source fields do not provide concrete analytics, data component mappings, severity, prevalence, or vendor-specific telemetry requirements. This summary should be treated as detection planning guidance, not proof of existing coverage or evidence of active exploitation.

Official MITRE ATT&CK definition

Cross-Platform Behavioral Detection of Python Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1059.006 Python Sub-technique This object detects Python.
Relationship explorer

All related ATT&CK context

detects · Technique T1059.006: Python Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
294c486aed45ecec...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 294c486aed45…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0063
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use