Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0540: Multi-Platform Behavioral Detection for Compute Hijacking

DET0540 is a MITRE detection strategy for identifying compute hijacking behavior across environments, tied to ATT&CK technique T1496.001. The business issu...

EnterpriseDET0540Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0540 is a MITRE detection strategy for identifying compute hijacking behavior across environments, tied to ATT&CK technique T1496.001. The business issue is resource abuse: compromised systems or hosted services can be driven into high CPU, memory, or workload consumption, potentially degrading availability and increasing infrastructure cost. Because the DET0540 object has no official description or detection text, teams should treat it as a prompt to validate whether they can see abnormal compute consumption and correlate it to suspicious process, host, cloud, or service activity rather than assuming a ready-made detection exists.

Executive priority

Prioritize this as an operational resilience and cost-control question: can the organization quickly distinguish legitimate resource spikes from unauthorized compute abuse on Windows, Linux, macOS, and IaaS assets associated with T1496.001? Leaders should ask whether SOC, cloud operations, and incident response teams have shared evidence for resource anomalies, ownership of triage decisions, and escalation paths when hosted services or endpoints become degraded or unresponsive. This also supports audit and governance conversations around monitoring coverage for availability-impacting security events.

Technical view

The supplied ATT&CK object is a detection strategy with no official detection logic, platforms, or tactics listed, but it detects T1496.001 Compute Hijacking, which is an Impact technique affecting Windows, Linux, macOS, and IaaS. SOC and detection engineering teams should validate behavioral analytics around abnormal compute utilization, unexpected long-running or resource-intensive processes, unusual workload creation in IaaS, and service degradation correlated with host or cloud activity. IR teams should ensure triage can connect performance symptoms to security evidence rather than treating all spikes as routine operations noise.

Likely telemetry

  • Endpoint performance metrics such as CPU, memory, process runtime, and process lineage where available
  • Operating system process execution and command/process metadata from Windows, Linux, and macOS assets relevant to T1496.001
  • Cloud/IaaS workload, instance, container, or compute resource utilization metrics where applicable
  • Cloud control-plane or audit logs showing compute resource creation, scaling, or unusual workload changes
  • EDR, host monitoring, or SIEM events that correlate resource-intensive activity with user, host, and process context

Detection direction

  • Validate that resource-consumption alerts are correlated with process, identity, host, and cloud context; utilization alone will produce operational false positives.
  • Tune for deviations from local baselines, such as unusual sustained compute load, unexpected resource-intensive processes, or abnormal IaaS consumption outside expected maintenance or business cycles.
  • Include relationship-driven coverage for T1496.001 platforms: Windows, Linux, macOS, and IaaS, while noting that DET0540 itself does not specify platforms.
  • Account for legitimate high-compute workloads such as batch jobs, builds, analytics, backups, and autoscaling events to reduce alert fatigue.
  • Check blind spots where performance monitoring is owned by infrastructure teams but not integrated into SOC triage or incident response workflows.

Mitigation priorities

  • Establish baseline visibility for compute utilization and workload behavior across endpoint and IaaS environments relevant to T1496.001.
  • Integrate infrastructure monitoring, endpoint telemetry, and cloud audit evidence into SOC workflows so availability-impacting anomalies can be investigated as potential security events.
  • Define ownership and escalation thresholds for suspected compute abuse, including when to involve cloud operations, system owners, and incident response.
  • Review access and change controls around compute resource creation and scaling in IaaS environments to reduce unauthorized or unreviewed resource consumption.
  • Document detection assumptions, known false positives, and telemetry gaps as compliance and readiness evidence.
Analyst notes and limits

This Glexia take is based on the MITRE detection strategy object DET0540 and its relationship indicating it detects T1496.001 Compute Hijacking. The related technique describes adversaries leveraging co-opted compute resources for resource-intensive tasks, including cryptocurrency transaction validation, with potential availability impact. Because the official DET0540 description and detection fields are not provided, recommendations focus on conservative validation of telemetry, correlation, triage, and control ownership rather than specific detection logic.

The DET0540 object provides no official description, no official detection text, no tactics, and no platforms. Platform and tactic context comes only from the relationship to T1496.001. Local asset inventory, cloud architecture, workload baselines, and monitoring coverage are required before determining actual detection capability or risk exposure.

Official MITRE ATT&CK definition

Multi-Platform Behavioral Detection for Compute Hijacking

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1496.001 Compute Hijacking Sub-technique This object detects Compute Hijacking.
Relationship explorer

All related ATT&CK context

detects · Technique T1496.001: Compute Hijacking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9b339c6a84428dd5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9b339c6a8442…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0540
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use