Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.
One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.
Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may indicate common cryptomining functionality
Monitor for common cryptomining files on local systems that may indicate compromise and resource usage
|DS0029||Network Traffic||Network Connection Creation||
Monitor for newly constructed network connections that are sent or received by untrusted hosts.
|Network Traffic Flow||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
Monitor for common cryptomining software process names that may indicate compromise and resource usage.
|DS0013||Sensor Health||Host Status||
Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources.