T1496

Resource Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.

Microsoft Sentinel / Defender

kusto

let KnownMinerProcessNames = dynamic([
  "xmrig", "xmrig.exe", "minerd", "minerd.exe", "cpuminer", "cpuminer.exe",
  "ethminer", "ethminer.exe", "nheqminer", "nheqminer.exe", "t-rex", "t-rex.exe",
  "nbminer", "nbminer.exe", "phoenixminer", "lolminer", "gminer", "gminer.exe",
  "bfgminer", "cgminer", "cgminer.exe", "claymore", "excavator", "teamredminer",
  "kawpowminer", "poolminer", "stratum", "xmr-stak", "xmr-stak.exe"
]);
let MiningPoolPorts = dynamic([3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 8008, 1080, 9200, 14433, 20536]);
let MiningPoolDomains = dynamic([
  "pool.minexmr.com", "xmrpool.eu", "pool.supportxmr.com", "monerohash.com",
  "nanopool.org", "f2pool.com", "ethermine.org", "2miners.com", "hiveon.net",
  "nicehash.com", "prohashing.com", "antpool.com", "btc.com", "viabtc.com",
  "zpool.ca", "coinhive.com", "jsecoin.com", "crypto-loot.com"
]);
let MinerCommandPatterns = dynamic([
  "stratum+tcp", "stratum+ssl", "stratum2+tcp",
  "-o pool.", "--url=", "-u wallet.", "--wallet",
  "--donate-level", "--coin xmr", "--coin monero",
  "mining.subscribe", "mining.authorize"
]);
// Branch 1: Known miner process names
let MinerProcessEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownMinerProcessNames)
   or ProcessCommandLine has_any (MinerCommandPatterns)
| extend DetectionSource = "MinerProcess"
| extend RiskScore = 90
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionSource, RiskScore;
// Branch 2: Network connections to mining pool ports/domains
let MinerNetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (MiningPoolPorts)
   or RemoteUrl has_any (MiningPoolDomains)
   or RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "outlook.exe", "teams.exe")
| extend DetectionSource = "MinerNetworkConn"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionSource, RiskScore;
// Branch 3: Suspicious process spawning miner-related child processes
let MinerChildProcess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "bash", "sh")
| where FileName has_any (KnownMinerProcessNames)
   or ProcessCommandLine has_any (MinerCommandPatterns)
| extend DetectionSource = "MinerSpawnedByLOLBin"
| extend RiskScore = 95
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionSource, RiskScore;
// Union all branches
union MinerProcessEvents, MinerNetworkEvents, MinerChildProcess
| summarize RiskScore=max(RiskScore), DetectionSources=make_set(DetectionSource),
            CommandLines=make_set(ProcessCommandLine)
  by Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName
| sort by RiskScore desc, Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate cryptocurrency wallet software or personal mining on developer endpoints (rare in corporate environments)
Security researchers or red team operators running miner tools in authorized lab environments
Network performance testing tools connecting to high-numbered ports that overlap with mining pool ranges
Proxy or VPN client software using ports that coincidentally overlap with known mining pool ports
Penetration testing scripts containing stratum protocol strings for mining simulation exercises

Splunk

spl

index=* (
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  OR sourcetype="WinEventLog:Security"
  OR sourcetype="syslog"
)
(
  (
    (EventCode=1 OR EventCode=4688)
    (
      Image IN ("*xmrig*", "*minerd*", "*cpuminer*", "*ethminer*", "*nheqminer*",
                "*t-rex*", "*nbminer*", "*phoenixminer*", "*lolminer*", "*gminer*",
                "*bfgminer*", "*cgminer*", "*xmr-stak*", "*poolminer*")
      OR Process_Name IN ("*xmrig*", "*minerd*", "*cpuminer*", "*ethminer*")
      OR CommandLine IN ("*stratum+tcp*", "*stratum+ssl*", "*stratum2+tcp*",
                         "*mining.subscribe*", "*mining.authorize*",
                         "*--donate-level*", "*--coin xmr*", "*--coin monero*")
      OR CommandLine IN ("*-o pool.*", "*--url=*pool*", "*-u wallet.*", "*--wallet*")
    )
  )
  OR
  (
    EventCode=3
    (DestinationPort IN ("3333", "4444", "5555", "7777", "9999", "14444", "45700", "3256", "14433", "20536"))
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    NOT (Image IN ("*chrome.exe", "*msedge.exe", "*firefox.exe", "*iexplore.exe", "*outlook.exe", "*teams.exe"))
  )
)
| eval EventType=case(
    EventCode=1 OR EventCode=4688, "ProcessCreate",
    EventCode=3, "NetworkConnect",
    true(), "Unknown"
  )
| eval MinerProcess=if(
    match(lower(Image), "(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer)"),
    1, 0
  )
| eval MinerCommandLine=if(
    match(lower(CommandLine), "(stratum\+tcp|stratum\+ssl|mining\.subscribe|mining\.authorize|donate-level|--coin xmr|--coin monero|-o pool\.|--wallet)"),
    1, 0
  )
| eval MiningPoolPort=if(EventCode=3 AND DestinationPort IN ("3333","4444","5555","7777","9999","14444","45700","14433","20536"), 1, 0)
| eval SpawnedByScript=if(
    match(lower(ParentImage), "(powershell|cmd\.exe|wscript|cscript|mshta|bash|sh)") AND MinerProcess=1,
    1, 0
  )
| eval RiskScore=case(
    SpawnedByScript=1, 95,
    MinerProcess=1 AND MinerCommandLine=1, 90,
    MinerProcess=1, 80,
    MinerCommandLine=1, 75,
    MiningPoolPort=1, 70,
    true(), 50
  )
| where RiskScore >= 70
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DestinationIp, DestinationPort, EventType,
        MinerProcess, MinerCommandLine, MiningPoolPort, SpawnedByScript, RiskScore
| sort - RiskScore _time

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Sysmon Event IDs 1 and 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate cryptocurrency wallet software or personal mining on developer endpoints
Security researchers or red team operators running miner tools in authorized lab environments
Network performance testing tools using ports that overlap with known mining pool ranges
Proxy or VPN clients that connect on ports coincidentally matching mining pool ranges
Penetration testing toolkits with stratum protocol simulation components

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime,'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Host IP",
  username AS "User",
  "Process Name" AS "Process",
  "Command" AS "Command Line",
  "Parent Process Name" AS "Parent Process",
  destinationip AS "Destination IP",
  destinationport AS "Destination Port",
  QIDNAME(qid) AS "Event Name",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  CASE
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%t-rex%','%kawpowminer%','%teamredminer%')
      AND LOWER("Parent Process Name") ILIKE ANY ('%powershell%','%cmd.exe%','%wscript%','%cscript%','%mshta%','%bash%') THEN 95
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nbminer%','%lolminer%','%gminer%','%cgminer%','%xmr-stak%','%poolminer%')
      AND LOWER("Command") ILIKE ANY ('%stratum%','%--wallet%','%mining.subscribe%','%mining.authorize%') THEN 90
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%t-rex%','%kawpowminer%','%teamredminer%') THEN 80
    WHEN LOWER("Command") ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%--donate-level%','%--coin xmr%','%--coin monero%','%-o pool.%','%--wallet%','%mining.subscribe%') THEN 75
    WHEN destinationport IN (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536)
      AND NOT INCIDR(destinationip,'10.0.0.0/8')
      AND NOT INCIDR(destinationip,'172.16.0.0/12')
      AND NOT INCIDR(destinationip,'192.168.0.0/16')
      AND NOT INCIDR(destinationip,'127.0.0.0/8') THEN 70
    ELSE 50
  END AS "Risk Score"
FROM events
WHERE
  LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%t-rex%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%kawpowminer%','%teamredminer%')
  OR LOWER("Command") ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%stratum2+tcp%','%--donate-level%','%--coin xmr%','%--coin monero%','%-o pool.%','%--url=%pool%','%-u wallet.%','%--wallet%','%mining.subscribe%','%mining.authorize%')
  OR (
    destinationport IN (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536)
    AND NOT INCIDR(destinationip,'10.0.0.0/8')
    AND NOT INCIDR(destinationip,'172.16.0.0/12')
    AND NOT INCIDR(destinationip,'192.168.0.0/16')
    AND NOT INCIDR(destinationip,'127.0.0.0/8')
    AND NOT LOWER("Process Name") ILIKE ANY ('%chrome.exe%','%msedge.exe%','%firefox.exe%','%iexplore.exe%','%outlook.exe%','%teams.exe%')
  )
LAST 1440 MINUTES
ORDER BY "Risk Score" DESC, starttime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log DSM Microsoft Sysmon DSM Linux OS DSM QRadar Network Insights (for flow-based port detection)

Required Tables

events

False Positives

Authorized mining infrastructure on known hosts — add those hostnames to a QRadar reference set and prepend NOT sourceip INREFERENCESET(ref_set_name) to the WHERE clause
Penetration testing engagements simulating miner deployment to validate detection coverage — coordinate pre-approved test windows and filter by tester source IP
Portfolio or crypto trading applications that maintain persistent connections to exchange APIs on ports overlapping with mining pool ports such as 9999 or 4444

Sumo Logic CSE

sql

_index=sec_record_*
| where metadata_deviceEventId in ("1","4688","3")
| where (
    (metadata_deviceEventId in ("1","4688") and (
      matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\\.exe)?")
      or matches(commandLine,"(?i)(stratum\\+(tcp|ssl)|stratum2\\+tcp|--donate-level|--coin[ =](xmr|monero)|-o pool\\.|--url=|--wallet|mining\\.(subscribe|authorize))")
    ))
    or (metadata_deviceEventId = "3"
      and dstPort in ("3333","4444","5555","7777","9999","14444","45700","3256","14433","20536")
      and not matches(dstIp,"^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
      and not matches(baseImage,"(?i)(chrome\\.exe|msedge\\.exe|firefox\\.exe|iexplore\\.exe|outlook\\.exe|teams\\.exe)")
    )
  )
| eval RiskScore = if(
    matches(parentBaseImage,"(?i)(powershell|cmd\\.exe|wscript|cscript|mshta|bash|sh)")
    and matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)"),
    95,
    if(matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)")
       and matches(commandLine,"(?i)(stratum|wallet|mining)"),
       90,
       if(matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)"),80,70)
    )
  )
| where RiskScore >= 70
| fields device_hostname, user_username, baseImage, commandLine, parentBaseImage, dstIp, dstPort, RiskScore, metadata_deviceEventId
| sort by RiskScore desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Event Log via Sumo Logic Installed Collector Sysmon via Sumo Logic Installed Collector Linux Syslog via Sumo Logic collector

Required Tables

sec_record_*

False Positives

Mining software legitimately deployed on organization-owned mining hardware — create a CSE suppression rule targeting device_hostname values for approved mining hosts
Cryptocurrency daemon software such as monerod or bitcoind running on authorized endpoints that trigger on port or command-line keyword matches
Red team or purple team exercises executing miner binaries in sandboxed environments as part of detection validation — coordinate suppression windows with the security team

Google Chronicle / SecOps

yaral

rule t1496_cryptominer_process_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects known cryptominer process names and mining command-line patterns. T1496 Resource Hijacking."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?$`) or
      re.regex($e.target.process.command_line,
        `(?i)(stratum\+(tcp|ssl)|stratum2\+tcp|--donate-level|--coin[ =](xmr|monero)|-o pool\.|--url=.*pool|--wallet|mining\.(subscribe|authorize))`)
    )

  condition:
    $e
}

rule t1496_cryptominer_lolbin_spawn {
  meta:
    author = "Detection Engineering"
    description = "Detects cryptominer process spawned by scripting LOLBins, indicating script-based dropper activity. T1496 + T1059."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path,
      `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh)$`)
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?$`) or
      re.regex($e.target.process.command_line,
        `(?i)(stratum\+(tcp|ssl)|--donate-level|--coin[ =](xmr|monero)|-o pool\.|--wallet|mining\.(subscribe|authorize))`)
    )

  condition:
    $e
}

rule t1496_cryptominer_mining_pool_network {
  meta:
    author = "Detection Engineering"
    description = "Detects outbound connections to known cryptocurrency mining pool ports, excluding browsers. T1496 Resource Hijacking."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.target.port in (3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 14433, 20536)
    not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    not re.regex($net.principal.process.file.full_path,
      `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|outlook\.exe|teams\.exe)$`)

  condition:
    $net
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (Unified Data Model) Windows Event Forwarding with Sysmon via Chronicle forwarder CrowdStrike Falcon Chronicle feed Carbon Black Cloud Chronicle feed

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION)

False Positives

Authorized mining workloads in GCP or on-premises with valid business justification — add host principal values to a Chronicle reference list and filter with $e.principal.hostname in %approved_mining_hosts
Cryptocurrency development toolchains using stratum protocol for local mining simulations during blockchain application development or testnet validation
VPN or tunneling applications that use ports 3333 or 4444 for their control channel, triggering the network rule without process context to disambiguate — validate with principal.process and target.ip enrichment

CrowdStrike LogScale (CQL)

cql

#event_simpleName in [ProcessRollup2, SyntheticProcessRollup2, NetworkConnectIP4]
| MinerProcess := FileName = /(?i)\b(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?\b/
| MinerCmdLine := CommandLine = /(?i)(stratum\+(tcp|ssl)|stratum2\+tcp|--donate-level|--coin[ =](xmr|monero)|-o\s+pool\.|--url=.*pool|--wallet|mining\.(subscribe|authorize))/
| MiningPoolPort := RemotePort in [3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 14433, 20536]
| SpawnedByLOLBin := MinerProcess = true AND ParentBaseFileName = /(?i)\b(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh)\b/
| filter(MinerProcess = true OR MinerCmdLine = true OR MiningPoolPort = true)
| case {
    SpawnedByLOLBin = true | RiskScore := 95;
    MinerProcess = true AND MinerCmdLine = true | RiskScore := 90;
    MinerProcess = true | RiskScore := 80;
    MinerCmdLine = true | RiskScore := 75;
    MiningPoolPort = true | RiskScore := 70;
    * | RiskScore := 50;
  }
| select([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, RemoteAddress, RemotePort, MinerProcess, MinerCmdLine, MiningPoolPort, SpawnedByLOLBin, RiskScore, @timestamp])
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR CrowdStrike Falcon LogScale (Next-Gen SIEM) Falcon sensor with network telemetry enabled

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NetworkConnectIP4

False Positives

Authorized mining hosts with Falcon sensor deployed — add a filter clause such as ComputerName != /approved-miner-host-pattern/ or use a Falcon exclusion policy scoped to those machine groups
Legitimate use of ports 3333 or 4444 by internal security tools, protocol analyzers, or services that share mining pool port ranges — correlate RemoteAddress against threat intel before escalating NetworkConnectIP4 matches
Open-source cryptocurrency wallet software such as Electrum or Exodus that connects to ElectrumX or blockchain nodes on ports overlapping with the mining pool port list

Last updated: 2026-04-14 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Resource Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Impact

Popular Detections