Which SIEM platforms have a T1496 detection rule?

df00tech provides T1496 (Resource Hijacking) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1496 detection?

The T1496 detection is rated high severity with high confidence.

What are common false positives for T1496?

Common false positives for T1496 include: Legitimate cryptocurrency wallet software or personal mining on developer endpoints (rare in corporate environments); Security researchers or red team operators running miner tools in authorized lab environments; Network performance testing tools connecting to high-numbered ports that overlap with mining pool ranges.

T1496

Resource Hijacking

Q: What data sources are required to detect Resource Hijacking (T1496)?

Detecting Resource Hijacking requires the following data sources: Process: Process Creation, Network Traffic: Network Connection Creation, Command: Command Execution, Microsoft Defender for Endpoint.

Impact Last updated: April 14, 2026

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.

What is T1496 Resource Hijacking?

Resource Hijacking (T1496) maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data in MITRE ATT&CK.

This page provides production-ready detection logic for Resource Hijacking, covering the data sources and telemetry it touches: Process: Process Creation, Network Traffic: Network Connection Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Impact
Technique: T1496 Resource Hijacking
Canonical reference: https://attack.mitre.org/techniques/T1496/

Microsoft Sentinel / Defender

kusto

let KnownMinerProcessNames = dynamic([
  "xmrig", "xmrig.exe", "minerd", "minerd.exe", "cpuminer", "cpuminer.exe",
  "ethminer", "ethminer.exe", "nheqminer", "nheqminer.exe", "t-rex", "t-rex.exe",
  "nbminer", "nbminer.exe", "phoenixminer", "lolminer", "gminer", "gminer.exe",
  "bfgminer", "cgminer", "cgminer.exe", "claymore", "excavator", "teamredminer",
  "kawpowminer", "poolminer", "stratum", "xmr-stak", "xmr-stak.exe"
]);
let MiningPoolPorts = dynamic([3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 8008, 1080, 9200, 14433, 20536]);
let MiningPoolDomains = dynamic([
  "pool.minexmr.com", "xmrpool.eu", "pool.supportxmr.com", "monerohash.com",
  "nanopool.org", "f2pool.com", "ethermine.org", "2miners.com", "hiveon.net",
  "nicehash.com", "prohashing.com", "antpool.com", "btc.com", "viabtc.com",
  "zpool.ca", "coinhive.com", "jsecoin.com", "crypto-loot.com"
]);
let MinerCommandPatterns = dynamic([
  "stratum+tcp", "stratum+ssl", "stratum2+tcp",
  "-o pool.", "--url=", "-u wallet.", "--wallet",
  "--donate-level", "--coin xmr", "--coin monero",
  "mining.subscribe", "mining.authorize"
]);
// Branch 1: Known miner process names
let MinerProcessEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownMinerProcessNames)
   or ProcessCommandLine has_any (MinerCommandPatterns)
| extend DetectionSource = "MinerProcess"
| extend RiskScore = 90
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionSource, RiskScore;
// Branch 2: Network connections to mining pool ports/domains
let MinerNetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (MiningPoolPorts)
   or RemoteUrl has_any (MiningPoolDomains)
   or RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "outlook.exe", "teams.exe")
| extend DetectionSource = "MinerNetworkConn"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionSource, RiskScore;
// Branch 3: Suspicious process spawning miner-related child processes
let MinerChildProcess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "bash", "sh")
| where FileName has_any (KnownMinerProcessNames)
   or ProcessCommandLine has_any (MinerCommandPatterns)
| extend DetectionSource = "MinerSpawnedByLOLBin"
| extend RiskScore = 95
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionSource, RiskScore;
// Union all branches
union MinerProcessEvents, MinerNetworkEvents, MinerChildProcess
| summarize RiskScore=max(RiskScore), DetectionSources=make_set(DetectionSource),
            CommandLines=make_set(ProcessCommandLine)
  by Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName
| sort by RiskScore desc, Timestamp desc

Detects resource hijacking (cryptomining, proxyjacking) across three signal branches: (1) known miner process names and command-line patterns including stratum protocol arguments and wallet parameters; (2) outbound network connections to common mining pool ports (3333, 4444, 5555, etc.) and known pool domains; (3) scripting engines or LOLBins spawning miner processes. Results are unioned and deduplicated with a risk score to help analysts prioritize. Uses DeviceProcessEvents and DeviceNetworkEvents from Microsoft Defender for Endpoint.

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate cryptocurrency wallet software or personal mining on developer endpoints (rare in corporate environments)
Security researchers or red team operators running miner tools in authorized lab environments
Network performance testing tools connecting to high-numbered ports that overlap with mining pool ranges
Proxy or VPN client software using ports that coincidentally overlap with known mining pool ports
Penetration testing scripts containing stratum protocol strings for mining simulation exercises

Splunk

spl

index=* (
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  OR sourcetype="WinEventLog:Security"
  OR sourcetype="syslog"
)
(
  (
    (EventCode=1 OR EventCode=4688)
    (
      Image IN ("*xmrig*", "*minerd*", "*cpuminer*", "*ethminer*", "*nheqminer*",
                "*t-rex*", "*nbminer*", "*phoenixminer*", "*lolminer*", "*gminer*",
                "*bfgminer*", "*cgminer*", "*xmr-stak*", "*poolminer*")
      OR Process_Name IN ("*xmrig*", "*minerd*", "*cpuminer*", "*ethminer*")
      OR CommandLine IN ("*stratum+tcp*", "*stratum+ssl*", "*stratum2+tcp*",
                         "*mining.subscribe*", "*mining.authorize*",
                         "*--donate-level*", "*--coin xmr*", "*--coin monero*")
      OR CommandLine IN ("*-o pool.*", "*--url=*pool*", "*-u wallet.*", "*--wallet*")
    )
  )
  OR
  (
    EventCode=3
    (DestinationPort IN ("3333", "4444", "5555", "7777", "9999", "14444", "45700", "3256", "14433", "20536"))
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    NOT (Image IN ("*chrome.exe", "*msedge.exe", "*firefox.exe", "*iexplore.exe", "*outlook.exe", "*teams.exe"))
  )
)
| eval EventType=case(
    EventCode=1 OR EventCode=4688, "ProcessCreate",
    EventCode=3, "NetworkConnect",
    true(), "Unknown"
  )
| eval MinerProcess=if(
    match(lower(Image), "(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer)"),
    1, 0
  )
| eval MinerCommandLine=if(
    match(lower(CommandLine), "(stratum\+tcp|stratum\+ssl|mining\.subscribe|mining\.authorize|donate-level|--coin xmr|--coin monero|-o pool\.|--wallet)"),
    1, 0
  )
| eval MiningPoolPort=if(EventCode=3 AND DestinationPort IN ("3333","4444","5555","7777","9999","14444","45700","14433","20536"), 1, 0)
| eval SpawnedByScript=if(
    match(lower(ParentImage), "(powershell|cmd\.exe|wscript|cscript|mshta|bash|sh)") AND MinerProcess=1,
    1, 0
  )
| eval RiskScore=case(
    SpawnedByScript=1, 95,
    MinerProcess=1 AND MinerCommandLine=1, 90,
    MinerProcess=1, 80,
    MinerCommandLine=1, 75,
    MiningPoolPort=1, 70,
    true(), 50
  )
| where RiskScore >= 70
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DestinationIp, DestinationPort, EventType,
        MinerProcess, MinerCommandLine, MiningPoolPort, SpawnedByScript, RiskScore
| sort - RiskScore _time

Detects cryptocurrency mining and resource hijacking using Sysmon Event ID 1 (Process Create), Security Event ID 4688, and Sysmon Event ID 3 (Network Connection). Evaluates process image names, command-line stratum protocol arguments, and outbound connections to known mining pool ports. Calculates a RiskScore to prioritize events — highest risk for miners spawned by script interpreters or LOLBins (95), lowest for bare port-based network detections (70). Filters common browser processes to reduce noise on mining pool ports.

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Sysmon Event IDs 1 and 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate cryptocurrency wallet software or personal mining on developer endpoints
Security researchers or red team operators running miner tools in authorized lab environments
Network performance testing tools using ports that overlap with known mining pool ranges
Proxy or VPN clients that connect on ports coincidentally matching mining pool ranges
Penetration testing toolkits with stratum protocol simulation components

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("xmrig","xmrig.exe","minerd","minerd.exe","cpuminer","cpuminer.exe","ethminer","ethminer.exe","nheqminer","nheqminer.exe","t-rex","t-rex.exe","nbminer","nbminer.exe","phoenixminer","lolminer","gminer","gminer.exe","bfgminer","cgminer","cgminer.exe","xmr-stak","xmr-stak.exe","poolminer","kawpowminer","teamredminer") or
      process.command_line like~ ("*stratum+tcp*","*stratum+ssl*","*stratum2+tcp*","*--donate-level*","*--coin xmr*","*--coin monero*","*-o pool.*","*--url=*","*-u wallet.*","*--wallet*","*mining.subscribe*","*mining.authorize*")
    )
  ) or
  (
    event.category == "network" and event.type in ("connection","start") and
    destination.port in (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536) and
    not cidrmatch(destination.ip,"10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","127.0.0.0/8") and
    not process.name in~ ("chrome.exe","msedge.exe","firefox.exe","iexplore.exe","outlook.exe","teams.exe")
  )
)

Detects T1496 Resource Hijacking across process and network event categories using ECS fields. Branch 1 matches known cryptominer executable names via process.name. Branch 2 matches stratum protocol URIs, pool connection flags, and coin specifiers via process.command_line wildcard patterns. Branch 3 identifies outbound connections to mining pool ports excluding RFC1918 and browser processes. Requires Elastic Endpoint Security or Winlogbeat+Sysmon for process telemetry and Elastic Endpoint or network integration for connection events.

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent endpoint integration Winlogbeat with Sysmon Auditbeat (Linux)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-* auditbeat-*

False Positives

Authorized cryptocurrency mining rigs operating in a managed mining farm where xmrig or nbminer is sanctioned business software
Blockchain developers testing stratum protocol implementations or running local testnet mining nodes during Web3 application development
Security research sandboxes intentionally executing miner samples for detection engineering validation or incident response training

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime,'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Host IP",
  username AS "User",
  "Process Name" AS "Process",
  "Command" AS "Command Line",
  "Parent Process Name" AS "Parent Process",
  destinationip AS "Destination IP",
  destinationport AS "Destination Port",
  QIDNAME(qid) AS "Event Name",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  CASE
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%t-rex%','%kawpowminer%','%teamredminer%')
      AND LOWER("Parent Process Name") ILIKE ANY ('%powershell%','%cmd.exe%','%wscript%','%cscript%','%mshta%','%bash%') THEN 95
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nbminer%','%lolminer%','%gminer%','%cgminer%','%xmr-stak%','%poolminer%')
      AND LOWER("Command") ILIKE ANY ('%stratum%','%--wallet%','%mining.subscribe%','%mining.authorize%') THEN 90
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%t-rex%','%kawpowminer%','%teamredminer%') THEN 80
    WHEN LOWER("Command") ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%--donate-level%','%--coin xmr%','%--coin monero%','%-o pool.%','%--wallet%','%mining.subscribe%') THEN 75
    WHEN destinationport IN (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536)
      AND NOT INCIDR(destinationip,'10.0.0.0/8')
      AND NOT INCIDR(destinationip,'172.16.0.0/12')
      AND NOT INCIDR(destinationip,'192.168.0.0/16')
      AND NOT INCIDR(destinationip,'127.0.0.0/8') THEN 70
    ELSE 50
  END AS "Risk Score"
FROM events
WHERE
  LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%t-rex%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%kawpowminer%','%teamredminer%')
  OR LOWER("Command") ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%stratum2+tcp%','%--donate-level%','%--coin xmr%','%--coin monero%','%-o pool.%','%--url=%pool%','%-u wallet.%','%--wallet%','%mining.subscribe%','%mining.authorize%')
  OR (
    destinationport IN (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536)
    AND NOT INCIDR(destinationip,'10.0.0.0/8')
    AND NOT INCIDR(destinationip,'172.16.0.0/12')
    AND NOT INCIDR(destinationip,'192.168.0.0/16')
    AND NOT INCIDR(destinationip,'127.0.0.0/8')
    AND NOT LOWER("Process Name") ILIKE ANY ('%chrome.exe%','%msedge.exe%','%firefox.exe%','%iexplore.exe%','%outlook.exe%','%teams.exe%')
  )
LAST 1440 MINUTES
ORDER BY "Risk Score" DESC, starttime DESC

Detects T1496 Resource Hijacking in QRadar AQL against normalized Windows and Linux event properties. Matches known miner process names in the DSM-normalized Process Name property, mining command-line patterns in the Command property, and outbound connections to mining pool ports via destinationport with CIDR exclusions for RFC1918 space. Risk scoring escalates from LOLBin-spawned miners (95) to standalone network port matches (70). Requires Windows Security, Sysmon, and Linux OS DSMs configured to normalize Process Name, Command, and Parent Process Name custom event properties.

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log DSM Microsoft Sysmon DSM Linux OS DSM QRadar Network Insights (for flow-based port detection)

Required Tables

events

False Positives

Authorized mining infrastructure on known hosts — add those hostnames to a QRadar reference set and prepend NOT sourceip INREFERENCESET(ref_set_name) to the WHERE clause
Penetration testing engagements simulating miner deployment to validate detection coverage — coordinate pre-approved test windows and filter by tester source IP
Portfolio or crypto trading applications that maintain persistent connections to exchange APIs on ports overlapping with mining pool ports such as 9999 or 4444

Sumo Logic CSE

sql

_index=sec_record_*
| where metadata_deviceEventId in ("1","4688","3")
| where (
    (metadata_deviceEventId in ("1","4688") and (
      matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\\.exe)?")
      or matches(commandLine,"(?i)(stratum\\+(tcp|ssl)|stratum2\\+tcp|--donate-level|--coin[ =](xmr|monero)|-o pool\\.|--url=|--wallet|mining\\.(subscribe|authorize))")
    ))
    or (metadata_deviceEventId = "3"
      and dstPort in ("3333","4444","5555","7777","9999","14444","45700","3256","14433","20536")
      and not matches(dstIp,"^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
      and not matches(baseImage,"(?i)(chrome\\.exe|msedge\\.exe|firefox\\.exe|iexplore\\.exe|outlook\\.exe|teams\\.exe)")
    )
  )
| eval RiskScore = if(
    matches(parentBaseImage,"(?i)(powershell|cmd\\.exe|wscript|cscript|mshta|bash|sh)")
    and matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)"),
    95,
    if(matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)")
       and matches(commandLine,"(?i)(stratum|wallet|mining)"),
       90,
       if(matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)"),80,70)
    )
  )
| where RiskScore >= 70
| fields device_hostname, user_username, baseImage, commandLine, parentBaseImage, dstIp, dstPort, RiskScore, metadata_deviceEventId
| sort by RiskScore desc

Detects T1496 Resource Hijacking against the Sumo Logic Cloud SIEM Enterprise normalized record index (sec_record_*). Queries Sysmon EID 1 / Windows EID 4688 process creation records for known miner executable names and stratum protocol command-line patterns via the CSE normalized baseImage and commandLine fields. Queries Sysmon EID 3 network connection records for outbound mining pool port connections via dstPort with RFC1918 CIDR and browser exclusions. Risk scores LOLBin-spawned miners at 95, miners with stratum args at 90, standalone miner names at 80, and port-only matches at 70. Requires Sumo Logic CSE with Windows and Sysmon event sources configured.

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Event Log via Sumo Logic Installed Collector Sysmon via Sumo Logic Installed Collector Linux Syslog via Sumo Logic collector

Required Tables

sec_record_*

False Positives

Mining software legitimately deployed on organization-owned mining hardware — create a CSE suppression rule targeting device_hostname values for approved mining hosts
Cryptocurrency daemon software such as monerod or bitcoind running on authorized endpoints that trigger on port or command-line keyword matches
Red team or purple team exercises executing miner binaries in sandboxed environments as part of detection validation — coordinate suppression windows with the security team

Google Chronicle / SecOps

yaral

rule t1496_cryptominer_process_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects known cryptominer process names and mining command-line patterns. T1496 Resource Hijacking."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?$`) or
      re.regex($e.target.process.command_line,
        `(?i)(stratum\+(tcp|ssl)|stratum2\+tcp|--donate-level|--coin[ =](xmr|monero)|-o pool\.|--url=.*pool|--wallet|mining\.(subscribe|authorize))`)
    )

  condition:
    $e
}

rule t1496_cryptominer_lolbin_spawn {
  meta:
    author = "Detection Engineering"
    description = "Detects cryptominer process spawned by scripting LOLBins, indicating script-based dropper activity. T1496 + T1059."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path,
      `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh)$`)
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?$`) or
      re.regex($e.target.process.command_line,
        `(?i)(stratum\+(tcp|ssl)|--donate-level|--coin[ =](xmr|monero)|-o pool\.|--wallet|mining\.(subscribe|authorize))`)
    )

  condition:
    $e
}

rule t1496_cryptominer_mining_pool_network {
  meta:
    author = "Detection Engineering"
    description = "Detects outbound connections to known cryptocurrency mining pool ports, excluding browsers. T1496 Resource Hijacking."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.target.port in (3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 14433, 20536)
    not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    not re.regex($net.principal.process.file.full_path,
      `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|outlook\.exe|teams\.exe)$`)

  condition:
    $net
}

Three Chronicle YARA-L 2.0 rules covering T1496 Resource Hijacking. Rule 1 (HIGH) matches PROCESS_LAUNCH events for known miner executable names and stratum command-line patterns using UDM target.process fields. Rule 2 (CRITICAL) detects miners spawned by LOLBins using UDM principal.process for the parent and target.process for the child — the highest-fidelity signal. Rule 3 (MEDIUM confidence) detects NETWORK_CONNECTION events to mining pool ports with CIDR exclusions for RFC1918 and browser process filtering via principal.process. Deploy all three rules for full behavioral coverage across the kill chain.

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (Unified Data Model) Windows Event Forwarding with Sysmon via Chronicle forwarder CrowdStrike Falcon Chronicle feed Carbon Black Cloud Chronicle feed

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION)

False Positives

Authorized mining workloads in GCP or on-premises with valid business justification — add host principal values to a Chronicle reference list and filter with $e.principal.hostname in %approved_mining_hosts
Cryptocurrency development toolchains using stratum protocol for local mining simulations during blockchain application development or testnet validation
VPN or tunneling applications that use ports 3333 or 4444 for their control channel, triggering the network rule without process context to disambiguate — validate with principal.process and target.ip enrichment

CrowdStrike LogScale (CQL)

cql

#event_simpleName in [ProcessRollup2, SyntheticProcessRollup2, NetworkConnectIP4]
| MinerProcess := FileName = /(?i)\b(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?\b/
| MinerCmdLine := CommandLine = /(?i)(stratum\+(tcp|ssl)|stratum2\+tcp|--donate-level|--coin[ =](xmr|monero)|-o\s+pool\.|--url=.*pool|--wallet|mining\.(subscribe|authorize))/
| MiningPoolPort := RemotePort in [3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 14433, 20536]
| SpawnedByLOLBin := MinerProcess = true AND ParentBaseFileName = /(?i)\b(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh)\b/
| filter(MinerProcess = true OR MinerCmdLine = true OR MiningPoolPort = true)
| case {
    SpawnedByLOLBin = true | RiskScore := 95;
    MinerProcess = true AND MinerCmdLine = true | RiskScore := 90;
    MinerProcess = true | RiskScore := 80;
    MinerCmdLine = true | RiskScore := 75;
    MiningPoolPort = true | RiskScore := 70;
    * | RiskScore := 50;
  }
| select([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, RemoteAddress, RemotePort, MinerProcess, MinerCmdLine, MiningPoolPort, SpawnedByLOLBin, RiskScore, @timestamp])
| sort(RiskScore, order=desc)

Detects T1496 Resource Hijacking using CrowdStrike Falcon LogScale CQL against Falcon Insight EDR telemetry. Queries ProcessRollup2 and SyntheticProcessRollup2 events for known miner executable names via FileName regex and stratum protocol command-line patterns via CommandLine regex. Queries NetworkConnectIP4 events for outbound connections to mining pool ports via RemotePort set membership. Computes a risk score in a case block: LOLBin-spawned miners score 95, miners with stratum args score 90, standalone miner process names score 80, command-line patterns only score 75, and mining pool port connections score 70. Requires Falcon Insight with process and network telemetry collection enabled.

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR CrowdStrike Falcon LogScale (Next-Gen SIEM) Falcon sensor with network telemetry enabled

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NetworkConnectIP4

False Positives

Authorized mining hosts with Falcon sensor deployed — add a filter clause such as ComputerName != /approved-miner-host-pattern/ or use a Falcon exclusion policy scoped to those machine groups
Legitimate use of ports 3333 or 4444 by internal security tools, protocol analyzers, or services that share mining pool port ranges — correlate RemoteAddress against threat intel before escalating NetworkConnectIP4 matches
Open-source cryptocurrency wallet software such as Electrum or Exodus that connects to ElectrumX or blockchain nodes on ports overlapping with the mining pool port list

Sigma rule & cross-platform mapping

The detection logic for Resource Hijacking (T1496) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1496 Sigma rules on detection.fyi

Platform-specific guides for T1496

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-14 Research depth: deep

References (6)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1XMRig Miner Execution with Stratum Protocol Arguments
Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.
Test 2Linux Miner Binary Dropped to /tmp and Executed
Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.
Test 3Outbound Connection to Mining Pool Port
Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.
Test 4Miner Persistence via Scheduled Task
Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.
Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)
Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Resource Hijacking

What is T1496 Resource Hijacking?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1496

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Impact

Popular Detections

What is T1496 Resource Hijacking?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1496

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox