AN1490: Analytic 1490
Unusual long-running processes consuming high CPU cycles (e.g., via 'top' or 'ps') initiated via cron, shell scripts, or Docker. Connections to known mining pools or DNS over HTTPS usage as evasion.
Analyst context for executives and security teams
This analytic is relevant because sustained, unusual CPU-heavy Linux processes can indicate resource abuse that affects service performance and operating cost. The ATT&CK object specifically points to processes started through cron, shell scripts, or Docker, with possible network indicators such as connections to known mining pools or DNS over HTTPS usage. For leaders, the value is not just finding a suspicious process; it is confirming whether Linux server, container, and scheduled-task monitoring can distinguish expected business workloads from activity that could degrade availability or hide in routine automation.
Executive priority
Prioritize this where Linux servers or Docker workloads support critical services, customer-facing systems, or cost-sensitive compute environments. The business question is whether the organization can quickly identify unauthorized or abnormal resource consumption before it affects performance, incident response decisions, cloud or hosting spend, and audit evidence for operational monitoring. Because no ATT&CK relationships or tactic mapping are supplied, treat this as a focused detection-readiness item rather than proof of a specific campaign or intrusion stage.
Technical view
Validate monitoring for Linux long-running processes with high CPU utilization, especially when parentage or launch context shows cron, shell scripts, or Docker. SOC and IR teams should be able to correlate process duration, CPU consumption, command line, user context, container context, scheduled-task source, and outbound network activity. Since the official detection field is not provided, teams should build local baselines for legitimate batch jobs, container workloads, and administrative scripts before alerting on anomalies. Network review should include connections to known mining pools where threat intelligence is available and visibility into DNS over HTTPS usage as a potential evasion signal.
Likely telemetry
- Linux process inventory and process execution metadata
- CPU utilization and process runtime metrics
- Command line, parent process, user, and working directory context
- Cron job definitions and scheduled execution logs
- Shell script execution evidence where available
Detection direction
- Confirm that high-CPU, long-running Linux processes can be tied back to launch source: cron, shell scripts, or Docker.
- Tune against known legitimate workloads such as backups, data processing, monitoring agents, CI/CD jobs, and expected container services.
- Correlate host and network evidence rather than alerting on CPU alone, which is prone to false positives.
- Review whether containerized processes are visible to the SOC with enough host, image, and container identity context.
- Assess blind spots around DNS over HTTPS, because encrypted DNS may reduce visibility into destination intent unless endpoint or proxy telemetry is available.
Mitigation priorities
- Establish baselines for expected Linux CPU-intensive jobs and container workloads.
- Restrict and review cron entries, shell scripts, and Docker execution paths on systems where unauthorized automation would be material.
- Ensure least-privilege administration for users and service accounts that can create scheduled tasks or run containers.
- Maintain logging for Linux process activity, scheduled task changes, container runtime events, and outbound network connections.
- Apply network controls and monitoring for unauthorized outbound connections, including policy decisions around DNS over HTTPS where appropriate.
Analyst notes and limits
This object is a detection analytic, not a technique description. It is limited to Linux and highlights unusual long-running high-CPU processes initiated via cron, shell scripts, or Docker, plus network context involving mining pools or DNS over HTTPS. No tactics, relationships, aliases, labels, or official detection implementation details were supplied, so local engineering must define thresholds, baselines, and response criteria.
The supplied ATT&CK fields do not identify a specific adversary, campaign, impact, active exploitation, or mapped tactic. Detection quality depends on local Linux, container, process, CPU, scheduled-task, DNS, and network telemetry. The object does not provide a ready-made analytic query or validated thresholds.
Analytic 1490
Unusual long-running processes consuming high CPU cycles (e.g., via 'top' or 'ps') initiated via cron, shell scripts, or Docker. Connections to known mining pools or DNS over HTTPS usage as evasion.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | af8982ed7a93… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1490Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.