AN0744: Analytic 0744
Sudden spikes in cloud VM CPU usage with outbound traffic to mining pools and unauthorized instance creation.
Analyst context for executives and security teams
AN0744 is a cloud infrastructure detection analytic focused on a business-relevant abuse pattern: unexpected cloud VM CPU spikes combined with outbound traffic to mining pools and unauthorized instance creation. For leaders, the value is not just spotting high CPU; it is confirming whether the organization can rapidly distinguish normal scaling or workload bursts from unauthorized resource consumption that can create cost, capacity, and incident-response pressure in IaaS environments.
Executive priority
Prioritize this analytic where IaaS cost control, cloud governance, and incident response readiness are material. Executives should ask whether teams can prove who created new instances, whether creation was authorized, whether outbound destinations are governed, and whether unusual compute consumption triggers both security and cloud cost escalation workflows. This is also useful audit evidence for cloud monitoring, change control, and access governance, but local logging and ownership context are required.
Technical view
SOC and cloud security teams should validate correlation across three evidence points named in the analytic: sudden VM CPU increases, outbound traffic to mining pools, and unauthorized instance creation. Because ATT&CK provides no detection logic or tactic mapping for this analytic, teams should define local baselines for expected CPU behavior, approved instance creation paths, and known business exceptions. IR teams should ensure alerts preserve instance identity, account or principal responsible for creation, time of creation, network destinations, and workload ownership so triage can separate legitimate autoscaling or batch compute from unauthorized activity.
Likely telemetry
- Cloud VM CPU and performance metrics
- Cloud instance creation and configuration events
- Cloud identity or principal activity tied to instance creation
- Outbound network flow logs from IaaS workloads
- Destination reputation or categorization data for mining pool traffic
Detection direction
- Correlate CPU spikes with outbound traffic patterns and recent instance creation rather than alerting on CPU alone.
- Validate whether instance creation was unauthorized using IAM principal, deployment pipeline, ticket/change record, and asset ownership context.
- Tune for legitimate high-compute workloads, autoscaling events, batch jobs, performance testing, and approved research activity to reduce false positives.
- Confirm whether outbound network telemetry is available from the relevant IaaS networks; without it, the mining-pool component of the analytic may be blind.
- Confirm whether cloud audit logs capture instance creation with sufficient retention and identity detail for investigation.
Mitigation priorities
- Ensure cloud audit logging and VM performance monitoring are enabled and retained for IaaS environments.
- Restrict and review permissions that allow instance creation, especially outside approved deployment processes.
- Maintain asset ownership, tagging, and change-control records so unauthorized instance creation can be determined quickly.
- Review outbound egress controls and monitoring for unmanaged or unexpected destinations where appropriate.
- Integrate cloud cost anomaly, security monitoring, and incident escalation workflows so resource abuse is investigated promptly.
Analyst notes and limits
This object is a detection analytic, not a technique description. Its practical value is in validating cloud monitoring coverage and correlation logic for IaaS resource abuse indicators. The supplied relationship context is empty, and ATT&CK does not provide a detection procedure, tactic, or linked technique in the provided fields.
Assessment is limited to the supplied ATT&CK fields. No active exploitation, attribution, specific cloud provider, tactic, or guaranteed detection coverage is stated. Local cloud architecture, logging configuration, IAM model, approved workload patterns, and network visibility are required to operationalize the analytic.
Analytic 0744
Sudden spikes in cloud VM CPU usage with outbound traffic to mining pools and unauthorized instance creation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | becf68a82b89… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0744Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.