AN1166: Analytic 1166
Automated scripts or repeated CLI/API requests that trigger application backends to consume high CPU or memory (e.g., Apache/PHP, MySQL, mail servers), resulting in syslog errors and excessive process spawning.
Analyst context for executives and security teams
Analytic 1166 concerns Linux application backends being stressed by automated scripts or repeated CLI/API requests until services consume excessive CPU or memory, spawn too many processes, and generate syslog errors. For leaders, the value is in treating this as an operational resilience signal: if backend resource exhaustion is not visible quickly, outages or degraded service may look like routine performance issues rather than security-relevant activity.
Executive priority
Prioritize validation where Linux-hosted Apache/PHP, MySQL, mail servers, or similar backend services support critical business processes. The key decision is whether operations, SOC, and incident response teams can distinguish abnormal repeated request activity and backend resource exhaustion from legitimate traffic spikes, maintenance jobs, or capacity problems. This also supports audit and resilience evidence by showing that resource-consumption conditions are monitored, triaged, and escalated consistently.
Technical view
ATT&CK provides no explicit detection logic for this analytic, so defenders should build validation around the described evidence: repeated CLI/API request patterns, high CPU or memory use by backend services, excessive process spawning, and syslog errors on Linux systems. SOC and IR teams should confirm that host telemetry and application/service logs can be correlated by time, source, user or service account where available, target endpoint, and affected process. Because no tactics or relationships are supplied, treat this as a behavior-level analytic rather than a complete ATT&CK technique mapping.
Likely telemetry
- Linux syslog entries showing backend or service errors
- Process creation and process count telemetry for web, database, mail, or application services
- CPU and memory utilization metrics at host and process level
- Application, web server, API, database, and mail server logs showing repeated requests or backend failures
- CLI/API access logs where available, including timestamps, request source, account, and target service
Detection direction
- Baseline normal request volume, process spawning, CPU, and memory behavior for critical Linux backend services before setting thresholds.
- Correlate repeated CLI/API activity with backend resource spikes and syslog errors to reduce false positives from legitimate load, batch jobs, backups, or monitoring tools.
- Tune alerts for sustained or rapidly repeated requests that coincide with excessive process creation or service degradation, not single isolated errors.
- Validate visibility gaps: missing syslog forwarding, absent process telemetry, incomplete application logs, and unmonitored internal API callers can all hide this behavior.
- Use incident response review to determine whether an event is misconfiguration, capacity exhaustion, legitimate workload, or security-relevant automation.
Mitigation priorities
- Ensure critical Linux backend services have centralized logging and resource monitoring before relying on detection.
- Define operational thresholds and escalation paths for excessive CPU, memory, process spawning, and service errors.
- Apply workload and service hardening controls appropriate to the environment, such as request throttling, resource limits, and capacity safeguards where supported.
- Review API/CLI access governance so automated clients and service accounts are identifiable and accountable in logs.
- Exercise SOC-to-operations handoffs for resource-exhaustion events affecting business-critical services.
Analyst notes and limits
This object is a detection analytic for Linux and describes backend resource exhaustion caused by automated scripts or repeated CLI/API requests. No relationship context, tactics, aliases, or MITRE-provided detection logic were supplied, so the take focuses on defensive validation and telemetry classes rather than a specific ATT&CK technique chain.
The supplied ATT&CK fields do not identify adversary groups, campaigns, active exploitation, impact outcomes, precise detection queries, or non-Linux platforms. Local architecture, logging coverage, service criticality, and baseline workload behavior are required to determine priority and detection fidelity.
Analytic 1166
Automated scripts or repeated CLI/API requests that trigger application backends to consume high CPU or memory (e.g., Apache/PHP, MySQL, mail servers), resulting in syslog errors and excessive process spawning.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 32eee86781dc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1166Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.