Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1491: Analytic 1491

Persistent or background daemons (e.g., plist or launchd jobs) spawning high-CPU processes like xmrig or cpuminer. Outbound encrypted traffic to IPs/domains commonly used by mining proxies.

EnterpriseAN1491AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it points to a macOS persistence-and-resource-abuse pattern: background daemons such as plist or launchd jobs spawning high-CPU processes associated with cryptocurrency mining, with encrypted outbound traffic to mining proxy infrastructure. For leaders, the practical issue is not just malware labeling; it is whether endpoint, network, and SOC processes can recognize unauthorized persistent workloads before they degrade user productivity, consume compute resources, or signal broader endpoint compromise.

Executive priority

Prioritize validation where macOS systems are business-critical, privileged, or broadly deployed. Security leaders should ask whether teams can prove visibility into launchd/plist persistence, abnormal CPU consumption, suspicious process names such as xmrig or cpuminer when present, and encrypted outbound connections to unusual IPs or domains. This supports operational resilience, incident triage, and compliance evidence by showing that persistent unauthorized background activity on macOS can be investigated with host and network data rather than user reports alone.

Technical view

For SOC and detection engineering teams, this object is a macOS detection analytic with no official detection logic supplied. Build validation around the described behavior: persistent or background daemons, including plist or launchd jobs, spawning high-CPU processes, especially names associated in the description with mining activity such as xmrig or cpuminer, combined with outbound encrypted traffic to IPs or domains commonly used by mining proxies. Because no ATT&CK tactic or relationship context is supplied, treat this as a behavior-focused analytic rather than a complete technique mapping. IR teams should confirm the parent-child process chain, daemon configuration source, process resource usage, and network destinations before escalating severity.

Likely telemetry

  • macOS process creation and parent-child process lineage
  • launchd job and plist creation, modification, and execution records
  • Endpoint performance or resource telemetry showing sustained high CPU usage
  • Command-line and process name telemetry for processes such as xmrig or cpuminer when present
  • Network connection logs showing encrypted outbound traffic from the affected host

Detection direction

  • Validate that macOS endpoint telemetry captures launchd/plist activity and can correlate daemon-launched processes with CPU utilization and network connections.
  • Tune for combinations of signals rather than a single indicator: persistent daemon parent, high CPU child process, miner-like process name, and encrypted outbound traffic to unusual or known mining-proxy destinations.
  • Account for false positives from legitimate high-CPU workloads, administrative launchd jobs, developer tooling, and approved background agents; require local allowlists and asset context.
  • Confirm whether encrypted traffic visibility is limited to metadata, proxy logs, DNS logs, or endpoint network events; content inspection should not be assumed.
  • Because the official detection field is not provided and there are no relationships, document local detection assumptions and test coverage against benign and suspicious macOS daemon scenarios.

Mitigation priorities

  • Establish a baseline of approved macOS launchd jobs, plists, and background daemons for managed endpoints.
  • Restrict and monitor unauthorized persistence locations and changes to daemon configuration where organizational policy allows.
  • Ensure endpoint monitoring covers process lineage, resource usage, and network metadata on macOS systems.
  • Use network controls and DNS/proxy policy to review or restrict suspicious outbound encrypted connections to unapproved destinations.
  • Prepare incident response procedures to remove unauthorized daemon persistence, terminate abusive processes, and determine whether additional compromise occurred.
Analyst notes and limits

The strongest decision value is coverage validation: can the organization connect macOS persistence mechanisms to process behavior and outbound network activity? This analytic is particularly useful for managed detection and IR readiness discussions because it requires host and network correlation, not just static indicator matching.

The supplied ATT&CK object provides a short description but no official detection logic, no tactics, and no relationship context. It supports macOS-only discussion. Any assessment of active exploitation, specific adversaries, confirmed mining infrastructure, business impact, or current customer exposure requires local telemetry and intelligence not included in the supplied fields.

Official MITRE ATT&CK definition

Analytic 1491

Persistent or background daemons (e.g., plist or launchd jobs) spawning high-CPU processes like xmrig or cpuminer. Outbound encrypted traffic to IPs/domains commonly used by mining proxies.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8f9425e251098a80...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8f9425e25109…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1491
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use