AN0745: Analytic 0745

This analytic flags a container-risk pattern: unauthorized containers consuming high CPU while running mining binaries or public proxy tools. For leaders, the significance is less about a single alert and more about whether the organization can quickly distinguish approved compute activity from abuse that can waste cloud/container resources, mask unauthorized access, or create operational noise.

Executive priority

Prioritize this as a container governance and SOC-readiness validation item. Executives should ask whether teams can prove which containers are authorized, detect abnormal CPU consumption, and investigate suspicious binaries or proxy tooling without relying on ad hoc manual review. The business value is cost control, operational resilience, and audit evidence that container workloads are inventoried and monitored.

Technical view

For SOC, detection engineering, and IR teams, validate coverage on the Containers platform for three linked conditions: container authorization status, high CPU usage, and evidence of mining binaries or public proxy tools inside the running container. Because ATT&CK supplies no tactic, no detailed detection logic, and no relationship context for this analytic, local baselines are essential. Tune for known high-CPU workloads and approved proxy use so the alert focuses on unauthorized or unexpected containers.

Likely telemetry

Container inventory and runtime metadata showing container identity, image, owner, namespace/project, and authorization status
Container CPU utilization metrics over time
Process execution telemetry from containers, including process names and command-line context where available
Container image or workload metadata that can support allowlisting or approval checks
Network telemetry from container workloads that may show proxy-like behavior, where collected

Detection direction

Establish a baseline of authorized container images and workloads before treating high CPU alone as suspicious.
Correlate CPU spikes with container identity and process evidence for mining binaries or public proxy tools.
Tune out expected high-compute jobs and approved proxy services to reduce false positives.
Validate whether telemetry is collected from inside containers, not only from the host or orchestration layer.
Document gaps where authorization status, process visibility, or CPU metrics are unavailable.

Mitigation priorities

Maintain an approved inventory of container images and workloads.
Enforce controls that prevent or restrict unauthorized containers from running.
Apply container resource limits and monitoring so abnormal CPU consumption is visible and bounded.
Review container images and runtime activity for unauthorized mining or proxy tooling.
Use incident response procedures to isolate and investigate unauthorized containers when confirmed.

Analyst notes and limits

This object is a detection analytic, AN0745, for the enterprise ATT&CK domain and Containers platform. The official description is limited to high CPU usage by unauthorized containers running mining binaries or public proxy tools. No official detection text, tactics, or relationships were supplied, so implementation depends heavily on local telemetry and container governance maturity.

The ATT&CK object does not provide detection logic, tactic mapping, related techniques, threat actor context, or evidence of active exploitation. This take should be used as defensive planning guidance, not as proof of existing compromise or current coverage.

Official MITRE ATT&CK definition

Analytic 0745

High CPU usage by unauthorized containers running mining binaries or public proxy tools.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: c4d461770b49ffed...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`c4d461770b49…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0745
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams