T1496.001

Compute Hijacking

Adversaries may leverage the compute resources of co-opted systems to mine cryptocurrency or perform other resource-intensive tasks, degrading system performance and hosted service availability. The most prevalent form is unauthorized cryptocurrency mining (cryptojacking), typically targeting Monero (XMR) via XMRig or derivative tools due to CPU-friendliness and transaction privacy. Threat actors including TeamTNT, Blue Mockingbird, Rocke, APT41, Kinsing, and Hildegard have deployed miners as follow-on payloads targeting Windows endpoints, Linux servers, and containerized environments. Miners connect to mining pools over stratum protocol (commonly ports 3333, 4444, 14444) and are often deployed alongside rootkits, cron-based persistence, and competing miner kill scripts.

Microsoft Sentinel / Defender

kusto

let MinerProcessNames = dynamic([
  "xmrig", "xmrig.exe", "xmrig-notls", "xmrig-cuda", "xmrig-amd",
  "minerd", "cpuminer", "cpuminer-opt",
  "ethminer", "nbminer", "t-rex", "phoenixminer",
  "nanominer", "xmr-stak", "xmrstak", "rhminer",
  "kdevtmpfsi", "kinsing", "sysupdate", "networkservice", "sysguard",
  "pastebin", "bioset", "kerberods"
]);
let MinerCmdPatterns = dynamic([
  "stratum+tcp://", "stratum+ssl://", "stratum2+tcp://",
  "--donate-level", "--mining-threads", "--coin monero", "--coin xmr",
  "pool.minexmr", "pool.hashvault", "xmrpool.eu", "monerohash.com",
  "supportxmr.com", "nanopool.org", "2miners.com", "f2pool.com",
  "--nicehash", "-o stratum", "pool.xmr", "mine.xmr",
  "cryptonight", "randomx", "--threads", "--max-cpu-usage"
]);
let MiningPorts = dynamic([3333, 4444, 5555, 7777, 14444, 45700, 3032, 8008, 9999, 14433, 45560]);
// Branch 1: Known miner process names or mining-specific command line arguments
let ProcessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (MinerProcessNames)
      or ProcessCommandLine has_any (MinerCmdPatterns)
| extend DetectionBranch = "ProcessExecution"
| extend MinerBinaryMatch = FileName has_any (MinerProcessNames)
| extend MiningArgMatch = ProcessCommandLine has_any (MinerCmdPatterns)
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "bash", "sh", "cron", "curl", "wget", "python", "python3")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SHA256, FolderPath, DetectionBranch, MinerBinaryMatch, MiningArgMatch, SuspiciousParent;
// Branch 2: Outbound connections to mining pool ports from any process
let NetworkBranch = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (MiningPorts)
| where RemoteIPType == "Public"
| extend DetectionBranch = "MiningPoolConnection"
| extend MinerProcessMatch = InitiatingProcessFileName has_any (MinerProcessNames)
| extend MiningArgMatch = InitiatingProcessCommandLine has_any (MinerCmdPatterns)
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, RemoteIP, RemotePort, RemoteUrl,
          MinerProcessMatch, MiningArgMatch, SuspiciousParent = false;
// Combine and sort
union ProcessBranch, NetworkBranch
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Authorized cryptocurrency mining operations or research environments where staff legitimately run miners
Security researchers testing miner detection capabilities using XMRig or similar tools in sandboxed environments
Port 3333 used by legitimate development tools or custom applications (e.g., some IoT platforms, local proxy servers)
Penetration testers running authorized mining simulations as part of red team engagements with documented change tickets
Academic HPC (High Performance Computing) workloads that use similar CPU-maximizing flags but for legitimate compute tasks

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval is_proc_create=if(EventCode=1, 1, 0)
| eval is_net_connect=if(EventCode=3, 1, 0)
| where is_proc_create=1 OR is_net_connect=1
| eval MinerBinaryMatch=if(
    match(lower(Image), "(xmrig|minerd|cpuminer|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmrstak|xmr-stak|kdevtmpfsi|kinsing|sysupdate|networkservice|sysguard|kerberods)"),
    1, 0)
| eval MiningArgMatch=if(
    match(lower(CommandLine), "(stratum\+tcp://|stratum\+ssl://|--donate-level|--mining-threads|--coin\s+monero|--coin\s+xmr|pool\.minexmr|pool\.hashvault|supportxmr\.com|nanopool\.org|monerohash\.com|cryptonight|randomx|--max-cpu-usage|xmrpool)"),
    1, 0)
| eval MiningPortMatch=if(
    is_net_connect=1 AND match(DestinationPort, "^(3333|4444|5555|7777|14444|45700|3032|8008|9999|14433|45560)$")
    AND NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"),
    1, 0)
| eval SuspicionScore=MinerBinaryMatch + MiningArgMatch + MiningPortMatch
| where SuspicionScore > 0
| eval DetectionType=case(
    is_proc_create=1 AND MinerBinaryMatch=1, "KnownMinerBinary",
    is_proc_create=1 AND MiningArgMatch=1, "MiningArguments",
    is_net_connect=1 AND MiningPortMatch=1, "MiningPoolConnection",
    true(), "Mixed")
| eval ProcessName=coalesce(Image, "unknown")
| eval CmdLine=coalesce(CommandLine, "")
| eval DestPort=coalesce(DestinationPort, "")
| eval DestIP=coalesce(DestinationIp, "")
| table _time, host, User, ProcessName, CmdLine, ParentImage, ParentCommandLine,
        DestIP, DestPort, DetectionType, MinerBinaryMatch, MiningArgMatch,
        MiningPortMatch, SuspicionScore
| sort - SuspicionScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized cryptocurrency mining operations or research environments where staff legitimately run miners
Security researchers testing miner detection capabilities using XMRig or similar tools in sandboxed environments
Port 3333 used by legitimate development tools or custom applications (e.g., some IoT platforms, local proxy servers)
Penetration testers running authorized mining simulations as part of red team engagements with documented change tickets
Academic HPC workloads that use similar CPU-maximizing flags but for legitimate compute tasks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestinationPort,
  username AS UserName,
  QIDNAME(qid) AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  CASE
    WHEN LOWER("Process Name") MATCHES '(xmrig|minerd|cpuminer|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmrstak|xmr-stak|kdevtmpfsi|kinsing|sysupdate|networkservice|sysguard|kerberods)' THEN 1
    ELSE 0
  END AS MinerBinaryMatch,
  CASE
    WHEN LOWER("Command") MATCHES '(stratum\+tcp://|stratum\+ssl://|--donate-level|--mining-threads|--coin\s+monero|--coin\s+xmr|pool\.minexmr|pool\.hashvault|supportxmr\.com|nanopool\.org|cryptonight|randomx|--max-cpu-usage)' THEN 1
    ELSE 0
  END AS MiningArgMatch,
  CASE
    WHEN destinationport IN (3333, 4444, 5555, 7777, 14444, 45700, 3032, 8008, 9999, 14433, 45560)
     AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '192.168.%' OR destinationip ILIKE '172.1[6-9].%' OR destinationip ILIKE '172.2_.%' OR destinationip ILIKE '172.3[01].%')
    THEN 1
    ELSE 0
  END AS MiningPortMatch
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352, 433)
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Process Name") MATCHES '(xmrig|minerd|cpuminer|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmrstak|xmr-stak|kdevtmpfsi|kinsing|sysupdate|networkservice|sysguard|kerberods)'
    OR LOWER("Command") MATCHES '(stratum\+tcp://|stratum\+ssl://|--donate-level|--mining-threads|--coin\s+monero|--coin\s+xmr|pool\.minexmr|pool\.hashvault|supportxmr\.com|nanopool\.org|cryptonight|randomx|--max-cpu-usage)'
    OR (
      destinationport IN (3333, 4444, 5555, 7777, 14444, 45700, 3032, 8008, 9999, 14433, 45560)
      AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '192.168.%')
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM QRadar Linux OS DSM QRadar Network Flows (QFlow)

Required Tables

events flows

False Positives

Development teams testing blockchain applications that communicate on mining-adjacent ports
System administrators running CPU stress tests with tools that have similar names
Legitimate RPC services or game servers using ports 3333 or 4444

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="linux/syslog" OR _sourceCategory="endpoint/process")
| where EventCode in ("1", "3") or EventID in ("1", "3")
| parse field=CommandLine "*" as cmd_lower nodrop
| parse field=Image "*\\*" as folder, process_name nodrop
| parse field=process_name "*" as pname_raw nodrop
| toLowercase(Image) as image_lower
| toLowercase(CommandLine) as cmd_lower
| if (image_lower matches "*xmrig*" or image_lower matches "*minerd*" or image_lower matches "*cpuminer*" or image_lower matches "*ethminer*" or image_lower matches "*nbminer*" or image_lower matches "*t-rex*" or image_lower matches "*phoenixminer*" or image_lower matches "*nanominer*" or image_lower matches "*xmrstak*" or image_lower matches "*xmr-stak*" or image_lower matches "*kdevtmpfsi*" or image_lower matches "*kinsing*" or image_lower matches "*sysupdate*" or image_lower matches "*networkservice*" or image_lower matches "*sysguard*" or image_lower matches "*kerberods*", 1, 0) as MinerBinaryMatch
| if (cmd_lower matches "*stratum+tcp*" or cmd_lower matches "*stratum+ssl*" or cmd_lower matches "*--donate-level*" or cmd_lower matches "*--mining-threads*" or cmd_lower matches "*--coin monero*" or cmd_lower matches "*--coin xmr*" or cmd_lower matches "*pool.minexmr*" or cmd_lower matches "*pool.hashvault*" or cmd_lower matches "*supportxmr.com*" or cmd_lower matches "*nanopool.org*" or cmd_lower matches "*cryptonight*" or cmd_lower matches "*randomx*" or cmd_lower matches "*--max-cpu-usage*", 1, 0) as MiningArgMatch
| if (EventCode == "3" and DestinationPort in ("3333","4444","5555","7777","14444","45700","3032","8008","9999","14433","45560") and !(DestinationIp matches "10.*" or DestinationIp matches "192.168.*" or DestinationIp matches "172.1*"), 1, 0) as MiningPortMatch
| where MinerBinaryMatch=1 or MiningArgMatch=1 or MiningPortMatch=1
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, DestinationIp, DestinationPort, MinerBinaryMatch, MiningArgMatch, MiningPortMatch
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Sysmon Source (Windows) Sumo Logic Linux Syslog Source Sumo Logic Installed Collector with Windows Event Log source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=linux/syslog

False Positives

Penetration testing tools or red team frameworks that use miner process names as camouflage
Research VMs running miner analysis with live samples
Network scanning tools that probe mining-adjacent ports during asset discovery

Google Chronicle / SecOps

yaral

rule t1496_001_compute_hijacking_cryptomining {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects cryptocurrency mining (T1496.001) via known miner process names, mining CLI arguments, or outbound connections to mining pool ports."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.001"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    (
      // Branch 1: Known miner process name
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.principal.process.file.full_path, `(?i)(xmrig|xmrig-notls|xmrig-cuda|xmrig-amd|minerd|cpuminer|cpuminer-opt|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmr-stak|xmrstak|rhminer|kdevtmpfsi|kinsing|sysupdate|networkservice|sysguard|kerberods)(\.exe)?$`) or
        re.regex($e.target.process.command_line, `(?i)(stratum\+tcp://|stratum\+ssl://|stratum2\+tcp://|--donate-level|--mining-threads|--coin\s+(monero|xmr)|pool\.minexmr|pool\.hashvault|supportxmr\.com|nanopool\.org|monerohash\.com|cryptonight|randomx|--max-cpu-usage|-o\s+stratum)`)
      )
    ) or
    (
      // Branch 2: Mining pool port connection
      $e.metadata.event_type = "NETWORK_CONNECTION" and
      $e.target.port in (3333, 4444, 5555, 7777, 14444, 45700, 3032, 8008, 9999, 14433, 45560) and
      not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8") and
      not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12") and
      not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16") and
      not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Chronicle Forwarder (Windows endpoints) Chronicle Forwarder (Linux endpoints) Google Cloud Chronicle with Sysmon ingestion

Required Tables

UDM PROCESS_LAUNCH events UDM NETWORK_CONNECTION events

False Positives

Authorized cryptocurrency treasury or finance tooling connecting to exchange APIs on common ports
Blockchain node software that communicates over stratum-adjacent ports for P2P consensus
Developer environments running local mining pool simulators for testing DeFi applications

CrowdStrike LogScale (CQL)

cql

// Branch 1: Known miner process execution
#event_simpleName = "ProcessRollup2"
| regex(field=ImageFileName, regex="(?i)(xmrig|xmrig-notls|xmrig-cuda|xmrig-amd|minerd|cpuminer|cpuminer-opt|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmr-stak|xmrstak|rhminer|kdevtmpfsi|kinsing|sysupdate|networkservice|sysguard|kerberods)(\.exe)?$", strict=false)
| eval MinerBinaryMatch=1
| eval MiningArgMatch=if(match(CommandLine, "(?i)(stratum\\+tcp://|stratum\\+ssl://|--donate-level|--mining-threads|--coin\\s+monero|--coin\\s+xmr|pool\\.minexmr|pool\\.hashvault|supportxmr\\.com|nanopool\\.org|cryptonight|randomx|--max-cpu-usage)"), 1, 0)
| eval DetectionBranch="ProcessExecution"
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, MinerBinaryMatch, MiningArgMatch, DetectionBranch])

// Branch 2: Mining command-line arguments without known binary name
| union {
  #event_simpleName = "ProcessRollup2"
  | regex(field=CommandLine, regex="(?i)(stratum\+tcp://|stratum\+ssl://|--donate-level|--mining-threads|--coin\s+monero|--coin\s+xmr|pool\.minexmr|pool\.hashvault|supportxmr\.com|nanopool\.org|cryptonight|randomx|--max-cpu-usage|-o\s+stratum)", strict=false)
  | eval MinerBinaryMatch=if(match(ImageFileName, "(?i)(xmrig|minerd|cpuminer|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmrstak|kdevtmpfsi|kinsing|sysupdate|kerberods)"), 1, 0)
  | eval MiningArgMatch=1
  | eval DetectionBranch="MiningArguments"
  | select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, MinerBinaryMatch, MiningArgMatch, DetectionBranch])
}

// Branch 3: Outbound connections to mining pool ports
| union {
  #event_simpleName = "NetworkConnectIP4"
  | RemotePort in [3333, 4444, 5555, 7777, 14444, 45700, 3032, 8008, 9999, 14433, 45560]
  | not cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
  | eval MinerBinaryMatch=if(match(ImageFileName, "(?i)(xmrig|minerd|cpuminer|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmrstak|kdevtmpfsi|kinsing|sysupdate|kerberods)"), 1, 0)
  | eval MiningArgMatch=0
  | eval DetectionBranch="MiningPoolConnection"
  | rename(field=RemoteAddressIP4, as=DestIP)
  | rename(field=RemotePort, as=DestPort)
  | select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, MinerBinaryMatch, MiningArgMatch, DetectionBranch, DestIP, DestPort])
}

| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection Falcon Sensor ProcessRollup2 events Falcon Sensor NetworkConnectIP4 events Falcon Sensor DnsRequest events

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Authorized cryptocurrency wallet software performing peer discovery over ports in the mining range
Internal DevOps tooling or CI/CD pipelines running blockchain integration tests that invoke miner binaries
Blue team or threat intelligence analysts running miner samples in an isolated but monitored Falcon-enrolled analysis VM

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1496.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1496Resource Hijacking

Related Sub-techniques

T1496.002Bandwidth Hijacking T1496.003SMS Pumping T1496.004Cloud Service Hijacking

Compute Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections