Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0853: Analytic 0853

Cloud workload exploitation leads to repeated container, service, or VM termination/restart, typically associated with CVE-based crash triggers or fuzzed payloads.

EnterpriseAN0853AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic points to a cloud resilience warning sign: repeated termination or restart of containers, services, or virtual machines after suspected workload exploitation. For leaders, the issue is not only whether a single workload crashes, but whether cloud operations, customer-facing services, or incident response teams can distinguish normal auto-recovery from exploit-driven instability.

Executive priority

Prioritize this as an IaaS operational resilience and incident-triage concern. Executives and security leaders should ask whether cloud teams can prove why workloads restart, whether crash loops are tied to vulnerable software or exposed services, and whether SOC and infrastructure teams share enough evidence to separate routine scaling or deployment failures from exploitation-related service disruption.

Technical view

Because the ATT&CK object provides no official detection logic or relationships, teams should validate the underlying evidence chain rather than rely on a predefined rule. For IaaS environments, correlate repeated container, service, or VM termination/restart events with workload logs, crash indicators, vulnerability context, recent deployments, exposure data, and any suspicious inbound requests or payload patterns. Tune for recurrence, unusual timing, affected asset criticality, and association with known vulnerable components while accounting for benign causes such as autoscaling, health-check failure, patching, configuration drift, or failed releases.

Likely telemetry

  • IaaS instance lifecycle events showing stop, terminate, reboot, or restart activity
  • Container orchestration events such as crash loops, pod/container restarts, evictions, or failed health checks
  • Service manager or workload supervisor logs showing repeated service failures and restarts
  • Application, runtime, and crash logs including exception traces, segmentation faults, core dumps, or abnormal exits
  • Cloud audit logs identifying who or what initiated lifecycle actions where available

Detection direction

  • Baseline normal restart behavior by workload type so alerts focus on abnormal frequency, clustering, or timing.
  • Correlate restart loops with crash evidence and external interaction rather than treating every restart as malicious.
  • Enrich affected assets with vulnerability, exposure, and business criticality data to prioritize investigation.
  • Include false-positive handling for autoscaling, orchestration rescheduling, planned maintenance, failed deployments, resource exhaustion, and health-check misconfiguration.
  • Validate that SOC visibility includes both cloud control-plane events and workload-level logs; either source alone may miss key context.

Mitigation priorities

  • Ensure critical IaaS workloads have logging for lifecycle events, workload crashes, and application errors before relying on detection outcomes.
  • Maintain current asset, image, package, and vulnerability inventories so crash behavior can be assessed against known vulnerable components.
  • Harden exposed workloads through patching, configuration review, least privilege, and segmentation appropriate to the cloud environment.
  • Use resilience controls such as health checks, restart policies, redundancy, and capacity planning, while ensuring they do not hide repeated exploit-triggered failures from responders.
  • Define incident playbooks for repeated cloud workload restarts, including evidence preservation, owner notification, change review, and vulnerability triage.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for IaaS and describes repeated container, service, or VM termination/restart associated with CVE-based crash triggers or fuzzed payloads. No tactic, detection logic, relationships, procedure examples, attribution, or active exploitation claims were supplied. Treat this as a detection engineering and incident triage pattern that requires local telemetry and environment context.

ATT&CK provides no official detection text for this analytic and no relationship context. The take cannot assert specific adversaries, techniques, tools, affected products, or guaranteed detection coverage. Local cloud architecture, orchestration stack, logging maturity, and change history are required to determine whether repeated restarts indicate exploitation or benign operational failure.

Official MITRE ATT&CK definition

Analytic 0853

Cloud workload exploitation leads to repeated container, service, or VM termination/restart, typically associated with CVE-based crash triggers or fuzzed payloads.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1346ce7d5aa68b81...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1346ce7d5aa6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0853
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use