Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1489: Analytic 1489

Sustained execution of resource-intensive processes (e.g., cryptocurrency miners), often launched via scheduled tasks, WMI, or PowerShell. These processes frequently establish persistent external connections and attempt to evade detection using masqueraded or renamed binaries.

EnterpriseAN1489AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1489 is a Windows-focused detection analytic concept for sustained, resource-heavy process execution, such as cryptocurrency mining, especially when launched through scheduled tasks, WMI, or PowerShell and paired with persistent outbound connections or renamed/masqueraded binaries. Its business value is that this behavior can turn compromised endpoints or servers into unreliable, costly, and hard-to-trust assets even when the primary visible symptom is performance degradation rather than data theft.

Executive priority

Leaders should treat this as an operational resilience and control-validation issue: can the organization quickly distinguish legitimate high-load business workloads from suspicious sustained compute use, and can the SOC explain which Windows telemetry proves how the process started, what it connected to, and whether persistence was involved? This analytic is useful for prioritizing endpoint logging, process/network correlation, and incident response playbooks for cases where business impact may appear first as degraded performance, cloud or infrastructure cost increase, or unstable critical Windows systems.

Technical view

For SOC and IR teams, validate visibility on Windows process execution patterns that remain resource-intensive over time, then correlate those processes with parent launch mechanisms noted in the ATT&CK description: scheduled tasks, WMI, and PowerShell. Investigations should pivot from the high-CPU or resource-heavy process to command line, parent/child lineage, binary path and name, persistence artifacts, and outbound connection behavior. Because no official detection logic is provided, teams should build environment-specific baselines for legitimate resource-intensive software and tune around expected administrative scripts, maintenance jobs, and approved compute workloads.

Likely telemetry

  • Windows process creation and termination events, including command line, parent process, image path, hashes where available, and user context
  • Endpoint performance or EDR telemetry showing sustained CPU, memory, or resource-intensive process behavior
  • Scheduled task creation, modification, and execution telemetry
  • WMI activity telemetry, including process creation or persistence-related WMI usage where collected
  • PowerShell execution telemetry, including script block, module, command line, and host process context where enabled

Detection direction

  • Correlate sustained resource consumption with process lineage rather than alerting on high CPU alone, which can generate false positives from legitimate business applications.
  • Tune detections for suspicious launch chains involving scheduled tasks, WMI, or PowerShell spawning long-running resource-intensive binaries.
  • Compare process names, paths, signatures, and expected locations to identify masqueraded or renamed binaries without assuming every renamed file is malicious.
  • Link endpoint process telemetry to outbound network connections to identify long-lived external communications associated with the same process.
  • Baseline approved high-compute workloads, administrative automation, software deployment activity, and maintenance windows to reduce noise.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR collection cover process creation, PowerShell, scheduled tasks, WMI, and outbound network connections before relying on this analytic operationally.
  • Restrict and monitor administrative mechanisms commonly used for execution and persistence, including scheduled tasks, WMI, and PowerShell, according to least privilege and approved administration practices.
  • Maintain asset and software baselines so defenders can distinguish sanctioned resource-intensive workloads from unexpected binaries or unusual execution paths.
  • Use incident response procedures that capture process lineage, persistence mechanism, network destinations, and affected host role before containment decisions.
  • Review whether performance monitoring, SOC alerting, and IR escalation paths are aligned for cases where the first sign of compromise is degraded system performance rather than a traditional malware alert.
Analyst notes and limits

This object is an ATT&CK detection analytic, not a technique or group profile. The supplied fields support a Windows scope and describe resource-intensive processes, possible cryptocurrency miners, scheduled task/WMI/PowerShell launch mechanisms, persistent external connections, and binary masquerading or renaming. No tactics, official detection text, or relationships were supplied, so this take focuses on validation and operationalization rather than specific ATT&CK technique mapping.

The source provides no official detection logic, no relationship context, no tactic assignment, and no evidence of specific threat actors, campaigns, active exploitation, or impact. Any production rule, severity model, or coverage claim requires local Windows telemetry, asset context, approved workload baselines, and SOC tuning evidence.

Official MITRE ATT&CK definition

Analytic 1489

Sustained execution of resource-intensive processes (e.g., cryptocurrency miners), often launched via scheduled tasks, WMI, or PowerShell. These processes frequently establish persistent external connections and attempt to evade detection using masqueraded or renamed binaries.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c7beaa6cc0b8a115...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c7beaa6cc0b8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1489
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use