Technique on mitre.org

T1496: Resource Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents. Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

The most common purpose for resource hijacking (unauthorized usage of resources) is cryptocurrency mining. — Reputation lists, if there is a possibility to access or download them, can be used for monitoring network connections to destinations which domain (or server) name is associated with cryptocurrency mining. — Monitoring of process-start events where command line input contains parameters related to running cryptominers. Examples of parameters (if the command line input does not contain 'pool.c', 'pool.o', 'gcc –'): ' --cpu-priority=', '--donate-level=0', ' -o pool.', ' --nicehash', ' --algo=rx/0', 'stratum+tcp://', 'stratum+udp://', 'LS1kb25hdGUtbGV2ZWw9', '0tZG9uYXRlLWxldmVsP', 'tLWRvbmF0ZS1sZXZlbD', 'c3RyYXR1bSt0Y3A6Ly', 'N0cmF0dW0rdGNwOi8v', 'zdHJhdHVtK3RjcDovL', 'c3RyYXR1bSt1ZHA6Ly', 'N0cmF0dW0rdWRwOi8v', 'zdHJhdHVtK3VkcDovL'.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may indicate common cryptomining or proxyware functionality.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor network traffic content for resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Note: Destination Host Name is not a comprehensive list of potential cryptocurrency URLs. This analytic has a hardcoded domain name which may change.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that are sent or received by untrusted hosts, look for connections to/from strange ports, as well as reputation of IPs and URLs related cryptocurrency hosts.

ID	DS0013	Data source and component	Sensor Health: Host Status	Description	Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for common cryptomining or proxyware files on local systems that may indicate compromise and resource usage.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may indicate common cryptomining or proxyware functionality.
DS0029	Network Traffic: Network Traffic Content	Monitor network traffic content for resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Note: Destination Host Name is not a comprehensive list of potential cryptocurrency URLs. This analytic has a hardcoded domain name which may change.
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts, look for connections to/from strange ports, as well as reputation of IPs and URLs related cryptocurrency hosts.
DS0013	Sensor Health: Host Status	Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources.
DS0022	File: File Creation	Monitor for common cryptomining or proxyware files on local systems that may indicate compromise and resource usage.
DS0009	Process: Process Creation	Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage.