T1496.001 CrowdStrike LogScale · LogScale

Detect Compute Hijacking in CrowdStrike LogScale

Adversaries may leverage the compute resources of co-opted systems to mine cryptocurrency or perform other resource-intensive tasks, degrading system performance and hosted service availability. The most prevalent form is unauthorized cryptocurrency mining (cryptojacking), typically targeting Monero (XMR) via XMRig or derivative tools due to CPU-friendliness and transaction privacy. Threat actors including TeamTNT, Blue Mockingbird, Rocke, APT41, Kinsing, and Hildegard have deployed miners as follow-on payloads targeting Windows endpoints, Linux servers, and containerized environments. Miners connect to mining pools over stratum protocol (commonly ports 3333, 4444, 14444) and are often deployed alongside rootkits, cron-based persistence, and competing miner kill scripts.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Sub-technique
T1496.001 Compute Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Known miner process execution
#event_simpleName = "ProcessRollup2"
| regex(field=ImageFileName, regex="(?i)(xmrig|xmrig-notls|xmrig-cuda|xmrig-amd|minerd|cpuminer|cpuminer-opt|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmr-stak|xmrstak|rhminer|kdevtmpfsi|kinsing|sysupdate|networkservice|sysguard|kerberods)(\.exe)?$", strict=false)
| eval MinerBinaryMatch=1
| eval MiningArgMatch=if(match(CommandLine, "(?i)(stratum\\+tcp://|stratum\\+ssl://|--donate-level|--mining-threads|--coin\\s+monero|--coin\\s+xmr|pool\\.minexmr|pool\\.hashvault|supportxmr\\.com|nanopool\\.org|cryptonight|randomx|--max-cpu-usage)"), 1, 0)
| eval DetectionBranch="ProcessExecution"
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, MinerBinaryMatch, MiningArgMatch, DetectionBranch])

// Branch 2: Mining command-line arguments without known binary name
| union {
  #event_simpleName = "ProcessRollup2"
  | regex(field=CommandLine, regex="(?i)(stratum\+tcp://|stratum\+ssl://|--donate-level|--mining-threads|--coin\s+monero|--coin\s+xmr|pool\.minexmr|pool\.hashvault|supportxmr\.com|nanopool\.org|cryptonight|randomx|--max-cpu-usage|-o\s+stratum)", strict=false)
  | eval MinerBinaryMatch=if(match(ImageFileName, "(?i)(xmrig|minerd|cpuminer|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmrstak|kdevtmpfsi|kinsing|sysupdate|kerberods)"), 1, 0)
  | eval MiningArgMatch=1
  | eval DetectionBranch="MiningArguments"
  | select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, MinerBinaryMatch, MiningArgMatch, DetectionBranch])
}

// Branch 3: Outbound connections to mining pool ports
| union {
  #event_simpleName = "NetworkConnectIP4"
  | RemotePort in [3333, 4444, 5555, 7777, 14444, 45700, 3032, 8008, 9999, 14433, 45560]
  | not cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
  | eval MinerBinaryMatch=if(match(ImageFileName, "(?i)(xmrig|minerd|cpuminer|ethminer|nbminer|t-rex|phoenixminer|nanominer|xmrstak|kdevtmpfsi|kinsing|sysupdate|kerberods)"), 1, 0)
  | eval MiningArgMatch=0
  | eval DetectionBranch="MiningPoolConnection"
  | rename(field=RemoteAddressIP4, as=DestIP)
  | rename(field=RemotePort, as=DestPort)
  | select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, MinerBinaryMatch, MiningArgMatch, DetectionBranch, DestIP, DestPort])
}

| sort(field=@timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon) detection for T1496.001 using three unioned branches: (1) ProcessRollup2 events matching known miner binary filenames, (2) ProcessRollup2 events with mining-specific command-line arguments, and (3) NetworkConnectIP4 events with outbound connections to common stratum mining pool ports excluding private IP ranges. Covers both Windows and Linux endpoints via Falcon sensor telemetry.

Data Sources

CrowdStrike Falcon Endpoint DetectionFalcon Sensor ProcessRollup2 eventsFalcon Sensor NetworkConnectIP4 eventsFalcon Sensor DnsRequest events

Required Tables

ProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • Authorized cryptocurrency wallet software performing peer discovery over ports in the mining range
  • Internal DevOps tooling or CI/CD pipelines running blockchain integration tests that invoke miner binaries
  • Blue team or threat intelligence analysts running miner samples in an isolated but monitored Falcon-enrolled analysis VM
Download portable Sigma rule (.yml)

Other platforms for T1496.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XMRig Miner Execution with Pool Arguments (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=xmrig.exe, CommandLine containing '--donate-level', 'stratum+tcp://', '--max-cpu-usage'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:3333 (will fail). Security Event ID 4688 if command line auditing enabled. High CPU utilization visible in performance counters immediately after launch.

  2. Test 2XMRig Miner Execution via PowerShell Download Cradle (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with '-ExecutionPolicy Bypass -WindowStyle Hidden'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with full download cradle content. If the download succeeded: second Sysmon Event ID 1 for svchost32.exe with mining arguments.

  3. Test 3Miner Persistence via Linux Cron Job

    Expected signal: Linux auditd: syscall=execve for crontab command. On next cron tick: process creation for bash/sh spawning curl with mining-related URL, then chmod +x on /tmp/kdevtmpfsi, then execution of /tmp/kdevtmpfsi. If MDE Linux agent enrolled: DeviceProcessEvents showing cron as initiating process spawning curl and the miner binary.

  4. Test 4Mining Pool Network Connection Simulation

    Expected signal: Sysmon Event ID 3: three network connection events from powershell.exe to 127.0.0.1 on ports 3333, 4444, and 14444. Connections will fail (no listener) but the event is generated on the SYN attempt. Windows Firewall log entries for outbound connection attempts on mining ports.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1496.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1496Resource Hijacking

Related Sub-techniques

T1496.002Bandwidth HijackingT1496.003SMS PumpingT1496.004Cloud Service Hijacking

Related Techniques

T1496Resource HijackingT1059.004Unix ShellT1059.001PowerShellT1053.003CronT1053.005Scheduled TaskT1105Ingress Tool TransferT1070.006TimestompT1562.001Disable or Modify ToolsT1543.002Systemd ServiceT1611Escape to HostT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections