Detect Compute Hijacking in Microsoft Sentinel
Adversaries may leverage the compute resources of co-opted systems to mine cryptocurrency or perform other resource-intensive tasks, degrading system performance and hosted service availability. The most prevalent form is unauthorized cryptocurrency mining (cryptojacking), typically targeting Monero (XMR) via XMRig or derivative tools due to CPU-friendliness and transaction privacy. Threat actors including TeamTNT, Blue Mockingbird, Rocke, APT41, Kinsing, and Hildegard have deployed miners as follow-on payloads targeting Windows endpoints, Linux servers, and containerized environments. Miners connect to mining pools over stratum protocol (commonly ports 3333, 4444, 14444) and are often deployed alongside rootkits, cron-based persistence, and competing miner kill scripts.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1496 Resource Hijacking
- Sub-technique
- T1496.001 Compute Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1496/001/
KQL Detection Query
let MinerProcessNames = dynamic([
"xmrig", "xmrig.exe", "xmrig-notls", "xmrig-cuda", "xmrig-amd",
"minerd", "cpuminer", "cpuminer-opt",
"ethminer", "nbminer", "t-rex", "phoenixminer",
"nanominer", "xmr-stak", "xmrstak", "rhminer",
"kdevtmpfsi", "kinsing", "sysupdate", "networkservice", "sysguard",
"pastebin", "bioset", "kerberods"
]);
let MinerCmdPatterns = dynamic([
"stratum+tcp://", "stratum+ssl://", "stratum2+tcp://",
"--donate-level", "--mining-threads", "--coin monero", "--coin xmr",
"pool.minexmr", "pool.hashvault", "xmrpool.eu", "monerohash.com",
"supportxmr.com", "nanopool.org", "2miners.com", "f2pool.com",
"--nicehash", "-o stratum", "pool.xmr", "mine.xmr",
"cryptonight", "randomx", "--threads", "--max-cpu-usage"
]);
let MiningPorts = dynamic([3333, 4444, 5555, 7777, 14444, 45700, 3032, 8008, 9999, 14433, 45560]);
// Branch 1: Known miner process names or mining-specific command line arguments
let ProcessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (MinerProcessNames)
or ProcessCommandLine has_any (MinerCmdPatterns)
| extend DetectionBranch = "ProcessExecution"
| extend MinerBinaryMatch = FileName has_any (MinerProcessNames)
| extend MiningArgMatch = ProcessCommandLine has_any (MinerCmdPatterns)
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "bash", "sh", "cron", "curl", "wget", "python", "python3")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
SHA256, FolderPath, DetectionBranch, MinerBinaryMatch, MiningArgMatch, SuspiciousParent;
// Branch 2: Outbound connections to mining pool ports from any process
let NetworkBranch = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (MiningPorts)
| where RemoteIPType == "Public"
| extend DetectionBranch = "MiningPoolConnection"
| extend MinerProcessMatch = InitiatingProcessFileName has_any (MinerProcessNames)
| extend MiningArgMatch = InitiatingProcessCommandLine has_any (MinerCmdPatterns)
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, RemoteIP, RemotePort, RemoteUrl,
MinerProcessMatch, MiningArgMatch, SuspiciousParent = false;
// Combine and sort
union ProcessBranch, NetworkBranch
| sort by Timestamp descDetects unauthorized cryptocurrency mining (T1496.001 Compute Hijacking) using Microsoft Defender for Endpoint tables. Uses two detection branches: (1) DeviceProcessEvents matching known miner binary names (XMRig, kdevtmpfsi, kinsing, etc.) and mining-specific command line arguments (stratum protocol URLs, --donate-level, pool domain names); (2) DeviceNetworkEvents detecting outbound connections to common mining pool ports (3333, 4444, 14444, etc.) on public IPs. Covers both Windows and Linux endpoints enrolled in MDE.
Data Sources
Required Tables
False Positives & Tuning
- Authorized cryptocurrency mining operations or research environments where staff legitimately run miners
- Security researchers testing miner detection capabilities using XMRig or similar tools in sandboxed environments
- Port 3333 used by legitimate development tools or custom applications (e.g., some IoT platforms, local proxy servers)
- Penetration testers running authorized mining simulations as part of red team engagements with documented change tickets
- Academic HPC (High Performance Computing) workloads that use similar CPU-maximizing flags but for legitimate compute tasks
Other platforms for T1496.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1XMRig Miner Execution with Pool Arguments (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=xmrig.exe, CommandLine containing '--donate-level', 'stratum+tcp://', '--max-cpu-usage'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:3333 (will fail). Security Event ID 4688 if command line auditing enabled. High CPU utilization visible in performance counters immediately after launch.
- Test 2XMRig Miner Execution via PowerShell Download Cradle (Windows)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with '-ExecutionPolicy Bypass -WindowStyle Hidden'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with full download cradle content. If the download succeeded: second Sysmon Event ID 1 for svchost32.exe with mining arguments.
- Test 3Miner Persistence via Linux Cron Job
Expected signal: Linux auditd: syscall=execve for crontab command. On next cron tick: process creation for bash/sh spawning curl with mining-related URL, then chmod +x on /tmp/kdevtmpfsi, then execution of /tmp/kdevtmpfsi. If MDE Linux agent enrolled: DeviceProcessEvents showing cron as initiating process spawning curl and the miner binary.
- Test 4Mining Pool Network Connection Simulation
Expected signal: Sysmon Event ID 3: three network connection events from powershell.exe to 127.0.0.1 on ports 3333, 4444, and 14444. Connections will fail (no listener) but the event is generated on the SYN attempt. Windows Firewall log entries for outbound connection attempts on mining ports.
References (13)
- https://attack.mitre.org/techniques/T1496/001/
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
- https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
- https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html
- https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
- https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/
- https://sysdig.com/blog/cryptojacking-cloud-security-kinsing/
- https://www.lacework.com/blog/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
- https://github.com/xmrig/xmrig
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md
Unlock Pro Content
Get the full detection package for T1496.001 including response playbook, investigation guide, and atomic red team tests.