Detect Bandwidth Hijacking in Microsoft Sentinel
Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This includes proxyjacking (selling victim bandwidth and IP address to proxyware services such as Honeygain, IPRoyal Pawns, Peer2Profit, PacketStream, and Traffmonetizer), participating in botnets for network denial of service campaigns, seeding malicious torrents, and conducting internet-wide scanning using victim systems. Proxyware agents installed on victim machines route third-party traffic through the victim's IP address, generating revenue for the adversary while consuming the victim's bandwidth and potentially implicating the victim's IP in illegal activity.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1496 Resource Hijacking
- Sub-technique
- T1496.002 Bandwidth Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1496/002/
KQL Detection Query
let KnownProxywareProcesses = dynamic([
"honeygain.exe", "honeygainclient.exe",
"iproyal-desktop.exe", "iproyal_desktop.exe", "pawns.exe",
"peer2profit.exe", "p2p-node.exe",
"packetstream.exe", "psnode.exe",
"traffmonetizer.exe", "traffmain.exe",
"earnapp.exe",
"repocket.exe",
"bitping.exe",
"mysterium.exe", "myst.exe"
]);
let ProxywareDomainKeywords = dynamic([
"honeygain", "iproyal", "pawns.app",
"peer2profit", "packetstream", "traffmonetizer",
"earnapp", "repocket", "bitping", "mysterium.network"
]);
// Branch 1: Known proxyware agent binary execution
let Branch1 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (KnownProxywareProcesses)
| extend DetectionBranch = "KnownProxywareBinary"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
SHA256, DetectionBranch;
// Branch 2: Network connections to known proxyware service domains
let Branch2 = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (ProxywareDomainKeywords)
or RemoteDnsQuestion has_any (ProxywareDomainKeywords)
| extend DetectionBranch = "ProxywareDomainConnection"
| project Timestamp, DeviceName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
RemoteUrl, RemoteDnsQuestion, RemoteIP, RemotePort,
DetectionBranch;
union Branch1, Branch2
| sort by Timestamp descDetects bandwidth hijacking (proxyjacking) using two detection branches in Microsoft Defender for Endpoint. Branch 1 identifies known proxyware agent process names (Honeygain, IPRoyal Pawns, Peer2Profit, PacketStream, Traffmonetizer, EarnApp, Repocket, Bitping, Mysterium) at process creation time. Branch 2 catches outbound network connections or DNS queries to known proxyware service domains. Results from both branches are unioned for alerting. A separate volume-based hunting query is provided in the investigation section to detect unknown proxyware by behavioral pattern.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate voluntary installation of proxyware by the endpoint user who consented to share bandwidth for reward (common in BYOD environments)
- Security researchers testing proxyware tools in an isolated lab environment
- CDN edge nodes, proxy appliances, or load balancers with high legitimate external connection volumes that match domain keywords
- Peer-to-peer collaboration or conferencing applications (WebRTC-based) whose domain names partially match proxyware keyword patterns
- Authorized penetration testing tools or network scanning appliances generating high external connection counts
Other platforms for T1496.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Honeygain Proxyware Agent Binary Simulation (Windows)
Expected signal: Sysmon Event ID 11: File Create — honeygain.exe written to %APPDATA%. Sysmon Event ID 1: Process Create — Image path ends with 'honeygain.exe' in AppData directory, ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled): ProcessName contains honeygain.exe.
- Test 2Proxyware Registry Run Key Persistence (Windows)
Expected signal: Sysmon Event ID 13: Registry Value Set — TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Honeygain, Details containing '%APPDATA%\honeygain.exe --token=SIM_TOKEN_12345'. Security Event ID 4657 if registry object access auditing is enabled.
- Test 3High-Volume External Connection Simulation (Windows)
Expected signal: Sysmon Event ID 3: Approximately 80 Network Connection events from powershell.exe to diverse external IPs (8.8.*.1 range) on port 80, appearing within a short time window. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe with high UniqueRemoteIPs count.
- Test 4Proxyware Domain DNS Resolution (Linux)
Expected signal: Sysmon for Linux Event ID 22: DNS Query events for honeygain.com, peer2profit.com, packetstream.io, traffmonetizer.com, earnapp.com. Process audit records for 'host' command execution. Network captures (if packet capture enabled) show DNS queries to these domains from the host's public IP.
References (7)
- https://attack.mitre.org/techniques/T1496/002/
- https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/
- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
- https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1496.002 including response playbook, investigation guide, and atomic red team tests.