AN0742: Analytic 0742
Abnormal CPU/memory usage by unauthorized processes with outbound connections to known mining pools or using cron jobs/scripts to maintain persistence.
Analyst context for executives and security teams
AN0742 is a Linux-focused detection analytic for spotting unauthorized processes that consume unusual CPU or memory while making outbound connections associated with cryptocurrency mining activity or using cron/scripts for persistence. For security leaders, the value is not just finding “high CPU”; it is validating whether Linux monitoring can connect resource abuse, outbound network behavior, and persistence indicators into a defensible incident signal.
Executive priority
This behavior matters because unauthorized resource consumption on Linux systems can degrade service performance, increase operating cost, and indicate weak control over server workloads and persistence mechanisms. Leaders should ask whether critical Linux assets have enough endpoint, process, network, and scheduled-task visibility to distinguish legitimate workload spikes from unauthorized persistent activity. The analytic can also support compliance and audit discussions around monitoring, unauthorized software, and incident response readiness, but local evidence is required to prove coverage.
Technical view
SOC and detection teams should validate Linux telemetry that correlates abnormal CPU or memory usage by processes with outbound connections to known mining pools and signs of persistence through cron jobs or scripts. Because ATT&CK does not provide a formal detection query for this analytic, teams should treat AN0742 as a detection objective: identify unauthorized high-resource processes, enrich with destination reputation or mining-pool indicators, and review cron/script-based persistence changes. Tuning should account for legitimate compute-intensive workloads, batch jobs, monitoring agents, and approved administrative scripts.
Likely telemetry
- Linux process execution and process metadata
- CPU and memory utilization by process
- Outbound network connection logs from Linux hosts
- Destination reputation or known mining-pool indicators
- Cron job configuration and modification records
Detection direction
- Validate that Linux endpoint or host monitoring can attribute CPU and memory spikes to specific processes and users.
- Correlate high-resource processes with outbound connections rather than alerting on resource usage alone.
- Review cron jobs and scripts for persistence indicators, especially where linked to unauthorized or unexplained processes.
- Tune out expected high-performance computing, backup, indexing, analytics, and maintenance jobs using asset context.
- Confirm that mining-pool destination intelligence is maintained and that network telemetry can tie connections back to the originating host/process where possible.
Mitigation priorities
- Establish baselines for expected Linux workloads on critical systems.
- Restrict and review who can create or modify cron jobs and executable scripts on Linux hosts.
- Maintain host monitoring for process activity, resource usage, scheduled tasks, and outbound network connections.
- Use network controls and monitoring to identify or limit unauthorized outbound connections to suspicious destinations.
- Ensure incident response playbooks cover containment and validation of unauthorized Linux processes and persistence mechanisms.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a full technique entry. It specifies Linux as the platform and describes abnormal CPU/memory usage, outbound connections to known mining pools, and cron/scripts used for persistence. No tactics, relationships, aliases, or official detection logic were supplied, so this take frames practical validation rather than a finished rule.
No relationship context, tactic mapping, formal detection query, data source list, mitigation list, adversary attribution, or exploitation evidence was provided. Local asset baselines, approved workload inventories, and available Linux/network telemetry are required to determine whether this analytic is actionable in a specific environment.
Analytic 0742
Abnormal CPU/memory usage by unauthorized processes with outbound connections to known mining pools or using cron jobs/scripts to maintain persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cf55edf0258b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0742Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.