1. Home
  2. Techniques
  3. Enterprise
  4. Resource Hijacking

Resource Hijacking

ID Name
T1496.001 Compute Hijacking
T1496.002 Bandwidth Hijacking
T1496.003 SMS Pumping
T1496.004 Cloud Service Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Resource hijacking may take a number of different forms. For example, adversaries may:

  • Leverage compute resources in order to mine cryptocurrency
  • Sell network bandwidth to proxy networks
  • Generate SMS traffic for profit
  • Abuse cloud-based messaging services to send large quantities of spam messages

In some cases, adversaries may leverage multiple types of Resource Hijacking at once.[1]

ID: T1496
Sub-techniques:  T1496.001, T1496.002, T1496.003, T1496.004
Tactic: Impact
Platforms: Containers, IaaS, Linux, SaaS, Windows, macOS
Impact Type: Availability
Contributors: Alfredo Oliveira, Trend Micro; David Fiser, @anu4is, Trend Micro; Jay Chen, Palo Alto Networks; Magno Logan, @magnologan, Trend Micro; Menachem Goldstein; Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 2.0
Created: 17 April 2019
Last Modified: 13 October 2024
Version Permalink

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor logs for software-as-a-service (SaaS) applications for signs of abuse.

DS0025 Cloud Service Cloud Service Modification

Monitor for changes to SaaS services, especially when quotas are raised or when new services are enabled.
DS0017 Command Command Execution

Monitor executed commands and arguments that may indicate common cryptomining or proxyware functionality.
DS0022 File File Creation

Monitor for common cryptomining or proxyware files on local systems that may indicate compromise and resource usage.
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts, look for connections to/from strange ports, as well as reputation of IPs and URLs related cryptocurrency hosts.

Network Traffic Content

Monitor network traffic content for resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Note: Destination Host Name is not a comprehensive list of potential cryptocurrency URLs. This analytic has a hardcoded domain name which may change.

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0009 Process Process Creation

Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage.
DS0013 Sensor Health Host Status

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources.

References

  1. Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.