Resource Hijacking: Bandwidth Hijacking

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.[1] Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.[2] Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.[3]

In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.[2]

ID: T1496.002
Sub-technique of:  T1496
Tactic: Impact
Platforms: Containers, IaaS, Linux, Windows, macOS
Impact Type: Availability
Version: 1.0
Created: 25 September 2024
Last Modified: 25 September 2024

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may indicate common proxyware functionality.

DS0022 File File Creation

Monitor for common proxyware files on local systems that may indicate compromise and resource usage.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts. Look for connections to/from strange ports.

Network Traffic Content

Monitor network traffic content for strange or unusual patterns.

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009 Process Process Creation

Monitor for common proxyware software process names that may indicate compromise and resource usage.

References