T1496.002 Bandwidth Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownProxywareProcesses = dynamic([
  "honeygain.exe", "honeygainclient.exe",
  "iproyal-desktop.exe", "iproyal_desktop.exe", "pawns.exe",
  "peer2profit.exe", "p2p-node.exe",
  "packetstream.exe", "psnode.exe",
  "traffmonetizer.exe", "traffmain.exe",
  "earnapp.exe",
  "repocket.exe",
  "bitping.exe",
  "mysterium.exe", "myst.exe"
]);
let ProxywareDomainKeywords = dynamic([
  "honeygain", "iproyal", "pawns.app",
  "peer2profit", "packetstream", "traffmonetizer",
  "earnapp", "repocket", "bitping", "mysterium.network"
]);
// Branch 1: Known proxyware agent binary execution
let Branch1 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (KnownProxywareProcesses)
| extend DetectionBranch = "KnownProxywareBinary"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256, DetectionBranch;
// Branch 2: Network connections to known proxyware service domains
let Branch2 = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (ProxywareDomainKeywords)
    or RemoteDnsQuestion has_any (ProxywareDomainKeywords)
| extend DetectionBranch = "ProxywareDomainConnection"
| project Timestamp, DeviceName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteUrl, RemoteDnsQuestion, RemoteIP, RemotePort,
         DetectionBranch;
union Branch1, Branch2
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate voluntary installation of proxyware by the endpoint user who consented to share bandwidth for reward (common in BYOD environments)
Security researchers testing proxyware tools in an isolated lab environment
CDN edge nodes, proxy appliances, or load balancers with high legitimate external connection volumes that match domain keywords
Peer-to-peer collaboration or conferencing applications (WebRTC-based) whose domain names partially match proxyware keyword patterns
Authorized penetration testing tools or network scanning appliances generating high external connection counts

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval EventCode=coalesce(EventCode, event_id)
| search EventCode IN (1, 3)
| eval KnownProxywareBinary=case(
    EventCode=1 AND match(lower(Image),
      "(honeygain|iproyal.desktop|iproyal_desktop|pawns\.exe|peer2profit|p2p-node|packetstream|psnode|traffmonetizer|traffmain|earnapp|repocket|bitping|mysterium|myst\.exe)"
    ), 1,
    true(), 0
  )
| eval ProxywareDomain=case(
    EventCode=3 AND match(lower(coalesce(DestinationHostname, "")),
      "(honeygain|iproyal|pawns\.app|peer2profit|packetstream|traffmonetizer|earnapp|repocket|bitping|mysterium)"
    ), 1,
    true(), 0
  )
| eval DetectionBranch=case(
    KnownProxywareBinary=1, "KnownProxywareBinary",
    ProxywareDomain=1, "ProxywareDomainConnection",
    true(), "None"
  )
| where DetectionBranch!="None"
| table _time, host, User, EventCode, Image, CommandLine, ParentImage, ParentCommandLine,
         DestinationIp, DestinationHostname, DestinationPort,
         KnownProxywareBinary, ProxywareDomain, DetectionBranch
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Voluntary user installation of proxyware agents for passive income in BYOD environments
Security testing of proxyware tools in isolated lab or sandbox environments
CDN infrastructure or legitimate proxy servers whose hostnames match proxyware domain keyword patterns
Peer-to-peer applications with domain names that partially overlap with proxyware service names
Authorized network performance testing tools making sustained high-volume external connections

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    process.name like~ (
      "honeygain.exe", "honeygainclient.exe", "iproyal-desktop.exe", "iproyal_desktop.exe",
      "pawns.exe", "peer2profit.exe", "p2p-node.exe", "packetstream.exe", "psnode.exe",
      "traffmonetizer.exe", "traffmain.exe", "earnapp.exe", "repocket.exe", "bitping.exe",
      "mysterium.exe", "myst.exe"
    )
  ) or
  (
    event.category == "network" and
    (
      dns.question.name like~ (
        "*honeygain*", "*iproyal*", "*pawns.app*", "*peer2profit*", "*packetstream*",
        "*traffmonetizer*", "*earnapp*", "*repocket*", "*bitping*", "*mysterium.network*"
      ) or
      destination.domain like~ (
        "*honeygain*", "*iproyal*", "*pawns.app*", "*peer2profit*", "*packetstream*",
        "*traffmonetizer*", "*earnapp*", "*repocket*", "*bitping*", "*mysterium.network*"
      )
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Sysmon via Winlogbeat Auditbeat Packetbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate security researchers or malware analysts executing proxyware binaries in isolated lab environments for threat intelligence purposes
IT administrators who have explicitly approved bandwidth-sharing programs for cost optimization or load testing on non-production assets
Developer environments where proxyware client SDKs or integration test harnesses are being actively debugged prior to detection deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS src_ip,
  destinationip AS dst_ip,
  destinationport AS dst_port,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  QIDNAME(qid) AS event_name,
  "FileName" AS process_name,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_process,
  "DestinationHostname" AS dst_hostname,
  CASE
    WHEN LOWER("FileName") MATCHES '(honeygain(\.exe|client\.exe)?|iproyal.desktop\.exe|iproyal_desktop\.exe|pawns\.exe|peer2profit\.exe|p2p-node\.exe|packetstream\.exe|psnode\.exe|traffmonetizer\.exe|traffmain\.exe|earnapp\.exe|repocket\.exe|bitping\.exe|mysterium\.exe|myst\.exe)'
      THEN 'KnownProxywareBinary'
    WHEN LOWER("DestinationHostname") MATCHES '(honeygain|iproyal|pawns\.app|peer2profit|packetstream|traffmonetizer|earnapp|repocket|bitping|mysterium\.network)'
      THEN 'ProxywareDomainConnection'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE (
  LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%windows%'
)
AND (
  LOWER("FileName") MATCHES '(honeygain|iproyal.desktop|iproyal_desktop|pawns\.exe|peer2profit|p2p-node|packetstream|psnode|traffmonetizer|traffmain|earnapp|repocket|bitping|mysterium|myst\.exe)'
  OR LOWER("DestinationHostname") MATCHES '(honeygain|iproyal|pawns\.app|peer2profit|packetstream|traffmonetizer|earnapp|repocket|bitping|mysterium\.network)'
)
LAST 24 HOURS
ORDER BY event_time DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Sysmon DSM via Windows Event Log Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Employees who have installed personal proxyware applications on company endpoints prior to policy enforcement or security tool rollout
Security operations teams running proxyware samples inside QRadar-monitored sandboxed virtual machines during threat intelligence exercises
Custom internal network relay or proxy tools whose binary names or destination hostnames partially match the detection patterns

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode IN ("1", "3") OR EventID IN ("1", "3")
| eval process_lower = toLowerCase(if(!isNull(Image), Image, if(!isNull(ProcessName), ProcessName, "")))
| eval dest_host_lower = toLowerCase(if(!isNull(DestinationHostname), DestinationHostname, ""))
| where process_lower matches /(?:honeygain(?:client)?\.exe|iproyal[_-]desktop\.exe|pawns\.exe|peer2profit\.exe|p2p-node\.exe|packetstream\.exe|psnode\.exe|traffmonetizer\.exe|traffmain\.exe|earnapp\.exe|repocket\.exe|bitping\.exe|mysterium\.exe|myst\.exe)$/
  OR dest_host_lower matches /(?:honeygain|iproyal|pawns\.app|peer2profit|packetstream|traffmonetizer|earnapp|repocket|bitping|mysterium\.network)/
| eval DetectionBranch = if(
    process_lower matches /(?:honeygain(?:client)?\.exe|iproyal[_-]desktop\.exe|pawns\.exe|peer2profit\.exe|p2p-node\.exe|packetstream\.exe|psnode\.exe|traffmonetizer\.exe|traffmain\.exe|earnapp\.exe|repocket\.exe|bitping\.exe|mysterium\.exe|myst\.exe)$/,
    "KnownProxywareBinary",
    "ProxywareDomainConnection"
  )
| fields _time, host, User, EventCode, Image, CommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationHostname, DestinationPort, DetectionBranch
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sumo Logic Installed Collector (Windows) Sysmon via Sumo Logic Windows Event Log source

Required Tables

Sysmon EventCode 1 (Process Create) Sysmon EventCode 3 (Network Connection)

False Positives

Employees who voluntarily installed proxyware for personal passive income on BYOD devices or before acceptable use policies were enforced
Incident response analysts executing proxyware binaries in a monitored Sumo Logic-covered environment during forensic triage or malware detonation
Internal DNS sinkholes or transparent proxy appliances whose resolved hostnames match proxyware domain keyword patterns

Google Chronicle / SecOps

yaral

rule t1496_002_bandwidth_hijacking_proxyware {
  meta:
    author = "Detection Engineering"
    description = "Detects bandwidth hijacking via proxyware agent execution, DNS queries, or network connections to known proxyware service infrastructure (T1496.002)"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.002"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    (
      $proc.metadata.event_type = "PROCESS_LAUNCH"
      re.regex($proc.target.process.file.full_path,
        `(?i)(honeygain(client)?\.exe|iproyal[_-]desktop\.exe|pawns\.exe|peer2profit\.exe|p2p-node\.exe|packetstream\.exe|psnode\.exe|traffmonetizer\.exe|traffmain\.exe|earnapp\.exe|repocket\.exe|bitping\.exe|mysterium\.exe|myst\.exe)$`
      )
    )
    or
    (
      $dns.metadata.event_type = "NETWORK_DNS"
      re.regex($dns.network.dns.questions.name,
        `(?i)(honeygain\.com|cdn\.honeygain|api\.honeygain|iproyal\.com|pawns\.app|peer2profit\.com|packetstream\.io|traffmonetizer\.com|earnapp\.com|repocket\.co|bitping\.com|mysterium\.network)`
      )
    )
    or
    (
      $net.metadata.event_type = "NETWORK_CONNECTION"
      re.regex($net.target.hostname,
        `(?i)(honeygain\.com|iproyal\.com|pawns\.app|peer2profit\.com|packetstream\.io|traffmonetizer\.com|earnapp\.com|repocket\.co|bitping\.com|mysterium\.network)`
      )
    )

  condition:
    $proc or $dns or $net
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder (endpoint telemetry) DNS event logs via Chronicle ingestion Network flow telemetry

Required Tables

PROCESS_LAUNCH UDM events NETWORK_DNS UDM events NETWORK_CONNECTION UDM events

False Positives

Authorized bandwidth-sharing or distributed CDN programs explicitly approved by IT and deployed through managed software channels on designated assets
Threat intelligence teams using Chronicle-monitored systems to dynamically analyze proxyware samples with documented change control approval
Penetration testers simulating proxyware installation as part of a scoped red team engagement with prior written authorization

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (ProcessRollup2, DnsRequest, NetworkConnectIP4)
| case {
    #event_simpleName = ProcessRollup2
      FileName = /(?i)(honeygain(client)?\.exe|iproyal[_-]desktop\.exe|pawns\.exe|peer2profit\.exe|p2p-node\.exe|packetstream\.exe|psnode\.exe|traffmonetizer\.exe|traffmain\.exe|earnapp\.exe|repocket\.exe|bitping\.exe|mysterium\.exe|myst\.exe)$/
      | DetectionBranch := "KnownProxywareBinary" ;
    #event_simpleName = DnsRequest
      DomainName = /(?i)(honeygain|iproyal|pawns\.app|peer2profit|packetstream|traffmonetizer|earnapp|repocket|bitping|mysterium\.network)/
      | DetectionBranch := "ProxywareDNSQuery" ;
    #event_simpleName = NetworkConnectIP4
      RemotePort IN (8080, 8443, 5000, 5001, 9001, 9002)
      | DetectionBranch := "ProxywareNetworkConnect" ;
    * | drop() ;
  }
| select([_time, ComputerName, UserName, #event_simpleName, FileName, CommandLine, ParentBaseFileName, DomainName, RemoteAddressIP4, RemotePort, DetectionBranch])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale / Humio

Required Tables

ProcessRollup2 DnsRequest NetworkConnectIP4

False Positives

End users who installed proxyware applications on Falcon-enrolled personal endpoints before corporate policy enforcement or MDM enrollment
CrowdStrike-monitored sandbox systems used by MDR or threat intelligence analysts to execute and observe proxyware behavior
Internal peer-to-peer file distribution tools or update relay agents that contact hostnames or use ports overlapping with proxyware service patterns

Bandwidth Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections