AN0741: Analytic 0741
Persistent high CPU utilization combined with suspicious command-line execution (e.g., mining tools or obfuscated scripts) and outbound connections to mining/proxy networks.
Analyst context for executives and security teams
AN0741 is a Windows detection analytic focused on a business-relevant symptom cluster: sustained high CPU usage, suspicious command-line activity, and outbound connections associated with mining or proxy infrastructure. For leaders, the value is not just finding cryptocurrency mining; it is identifying unauthorized workload consumption, possible footholds using obfuscated scripts, and unmanaged outbound network paths that can degrade system performance and complicate incident response.
Executive priority
Prioritize this analytic where Windows endpoints support critical operations, shared infrastructure, or regulated workloads. The decision value is confirming whether the organization can correlate endpoint performance anomalies with command-line execution and outbound network activity. Gaps here can leave SOC and IR teams unable to distinguish routine resource spikes from unauthorized tooling, policy violations, or broader compromise indicators.
Technical view
Validate whether Windows endpoint telemetry can join three evidence classes: persistent high CPU utilization, suspicious process or command-line execution such as mining tools or obfuscated scripts, and outbound connections to mining or proxy networks. Because the supplied ATT&CK object does not specify tactics, relationships, or a formal detection query, teams should treat AN0741 as a correlation pattern rather than a standalone alert rule. Tune against known administrative scripts, software deployment jobs, backup agents, build tools, and legitimate high-performance workloads to reduce false positives.
Likely telemetry
- Windows process creation events with full command-line arguments
- Endpoint performance or resource-utilization telemetry showing sustained high CPU usage
- Network connection telemetry from Windows hosts, including destination address, port, protocol, and timing
- Proxy, firewall, DNS, or web gateway logs that can identify outbound connections to mining or proxy-related infrastructure
- Endpoint security alerts or script execution logs where available, especially for obfuscated command lines
Detection direction
- Confirm that high CPU telemetry is retained long enough to correlate with process and network activity rather than reviewed only as an operations metric.
- Require correlation across CPU utilization, command-line behavior, and outbound connectivity; avoid treating any single signal as conclusive.
- Tune for legitimate high-CPU Windows activity such as patching, backups, indexing, software builds, EDR scans, and administrative automation.
- Review whether command-line logging captures obfuscation indicators and parent-child process context.
- Validate visibility for direct outbound connections and proxy-mediated traffic, since either path may affect whether the analytic can be applied.
Mitigation priorities
- Establish baseline CPU and process behavior for important Windows server and workstation populations.
- Harden and monitor script execution and command-line logging so suspicious or obfuscated activity can be investigated.
- Restrict and review unnecessary outbound network access from Windows endpoints, especially to destinations unrelated to business functions.
- Ensure SOC runbooks include triage steps for correlating resource anomalies with process and network evidence.
- Use findings from this analytic to support incident response scoping and control validation rather than relying on performance alerts alone.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. No relationship context, tactics, aliases, or official detection logic were supplied. The practical use is to guide defensive validation around a Windows correlation pattern: resource abuse plus suspicious execution plus outbound network behavior.
The source fields do not provide a formal query, data source list, tactic mapping, related techniques, threat actors, mitigations, or evidence of active exploitation. Local baselines and environment-specific allowlists are required to determine severity and reduce false positives.
Analytic 0741
Persistent high CPU utilization combined with suspicious command-line execution (e.g., mining tools or obfuscated scripts) and outbound connections to mining/proxy networks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 26a3974f1422… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0741Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.