AN0587: Analytic 0587
Instance enters degraded/unhealthy state due to abnormal process load or memory exhaustion, often caused by automation or script-based attacks.
Analyst context for executives and security teams
This analytic points to an IaaS operational signal: a cloud instance becoming degraded or unhealthy because process load or memory use is abnormal. For leaders, the value is not proving an attack by itself, but treating instance health degradation as a security-relevant early warning that may affect service availability and incident response decisions, especially where automation or scripts can rapidly consume resources.
Executive priority
Prioritize this as a resilience and cloud monitoring validation item. Security and infrastructure leaders should ask whether unhealthy-instance events are visible to the SOC, correlated with workload behavior, and actionable during incidents. It can support business continuity, cloud security, and audit evidence by showing that the organization can detect and respond to abnormal resource exhaustion in IaaS environments, while recognizing that degraded health may also come from legitimate workload spikes or operational faults.
Technical view
For SOC, cloud security, and IR teams, validate monitoring for IaaS instance health state changes alongside process load and memory exhaustion indicators. Because ATT&CK provides no official detection logic and no related techniques or tactics for this object, teams should avoid treating the signal as standalone proof of compromise. Instead, use it as a triage trigger: determine which instance entered a degraded or unhealthy state, when resource pressure began, whether automation or scripts were involved, and whether the activity aligns with expected deployment, batch, or maintenance activity.
Likely telemetry
- IaaS instance health and status-check events
- CPU, process load, and memory utilization metrics
- Host or agent telemetry showing process creation and resource consumption where available
- Cloud monitoring alerts for degraded or unhealthy instance state
- Automation, orchestration, or script execution logs relevant to the affected instance
Detection direction
- Confirm that IaaS health-state changes are ingested into monitoring or SIEM workflows with sufficient instance identity, timestamp, account/project, region, and ownership context.
- Correlate degraded or unhealthy state with abnormal process load or memory exhaustion rather than alerting on health state alone.
- Tune for expected high-load events such as deployments, batch jobs, scaling operations, backups, and maintenance windows to reduce false positives.
- Escalate when health degradation coincides with unusual script or automation activity, unexplained process growth, repeated restarts, or lack of an approved change record.
- Document blind spots where instance health is monitored by infrastructure teams but not visible to SOC or incident response workflows.
Mitigation priorities
- Establish baseline monitoring for IaaS instance health, CPU/load, and memory across business-critical workloads.
- Define ownership and escalation paths so degraded-instance signals reach both infrastructure operations and security responders.
- Apply resource governance and operational safeguards such as capacity planning, alert thresholds, and workload baselines before relying on security triage.
- Review automation and script execution controls in the affected cloud environment, including who can run automation and how execution is logged.
- Use incident runbooks to distinguish operational exhaustion from suspicious automation-driven resource abuse, preserving relevant cloud and host evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique. It is limited to the IaaS platform and describes instances entering degraded or unhealthy state from abnormal process load or memory exhaustion, often associated with automation or script-based attacks. No tactic, relationship context, or official detection procedure is provided, so this take frames the analytic as a monitoring and triage signal rather than a complete detection.
This assessment uses only the supplied ATT&CK fields and external reference. It does not establish attacker behavior, attribution, prevalence, impact, or detection coverage. Local cloud architecture, logging configuration, workload baselines, and incident history are required to determine materiality and alert thresholds.
Analytic 0587
Instance enters degraded/unhealthy state due to abnormal process load or memory exhaustion, often caused by automation or script-based attacks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0e43bd77e1ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0587Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.