T1496.002 Sumo Logic CSE · Sumo

Detect Bandwidth Hijacking in Sumo Logic CSE

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This includes proxyjacking (selling victim bandwidth and IP address to proxyware services such as Honeygain, IPRoyal Pawns, Peer2Profit, PacketStream, and Traffmonetizer), participating in botnets for network denial of service campaigns, seeding malicious torrents, and conducting internet-wide scanning using victim systems. Proxyware agents installed on victim machines route third-party traffic through the victim's IP address, generating revenue for the adversary while consuming the victim's bandwidth and potentially implicating the victim's IP in illegal activity.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Sub-technique
T1496.002 Bandwidth Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode IN ("1", "3") OR EventID IN ("1", "3")
| eval process_lower = toLowerCase(if(!isNull(Image), Image, if(!isNull(ProcessName), ProcessName, "")))
| eval dest_host_lower = toLowerCase(if(!isNull(DestinationHostname), DestinationHostname, ""))
| where process_lower matches /(?:honeygain(?:client)?\.exe|iproyal[_-]desktop\.exe|pawns\.exe|peer2profit\.exe|p2p-node\.exe|packetstream\.exe|psnode\.exe|traffmonetizer\.exe|traffmain\.exe|earnapp\.exe|repocket\.exe|bitping\.exe|mysterium\.exe|myst\.exe)$/
  OR dest_host_lower matches /(?:honeygain|iproyal|pawns\.app|peer2profit|packetstream|traffmonetizer|earnapp|repocket|bitping|mysterium\.network)/
| eval DetectionBranch = if(
    process_lower matches /(?:honeygain(?:client)?\.exe|iproyal[_-]desktop\.exe|pawns\.exe|peer2profit\.exe|p2p-node\.exe|packetstream\.exe|psnode\.exe|traffmonetizer\.exe|traffmain\.exe|earnapp\.exe|repocket\.exe|bitping\.exe|mysterium\.exe|myst\.exe)$/,
    "KnownProxywareBinary",
    "ProxywareDomainConnection"
  )
| fields _time, host, User, EventCode, Image, CommandLine, ParentImage, ParentCommandLine, DestinationIp, DestinationHostname, DestinationPort, DetectionBranch
| sort by _time desc
high severity high confidence

Detects bandwidth hijacking via proxyware agent process creation (Sysmon EventCode 1) and outbound network connections to proxyware service domains (Sysmon EventCode 3) using Sumo Logic CQL against Windows endpoint telemetry.

Data Sources

Sumo Logic Cloud SIEMSumo Logic Installed Collector (Windows)Sysmon via Sumo Logic Windows Event Log source

Required Tables

Sysmon EventCode 1 (Process Create)Sysmon EventCode 3 (Network Connection)

False Positives & Tuning

  • Employees who voluntarily installed proxyware for personal passive income on BYOD devices or before acceptable use policies were enforced
  • Incident response analysts executing proxyware binaries in a monitored Sumo Logic-covered environment during forensic triage or malware detonation
  • Internal DNS sinkholes or transparent proxy appliances whose resolved hostnames match proxyware domain keyword patterns
Download portable Sigma rule (.yml)

Other platforms for T1496.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Honeygain Proxyware Agent Binary Simulation (Windows)

    Expected signal: Sysmon Event ID 11: File Create — honeygain.exe written to %APPDATA%. Sysmon Event ID 1: Process Create — Image path ends with 'honeygain.exe' in AppData directory, ParentImage=cmd.exe. Security Event ID 4688 (if command line auditing enabled): ProcessName contains honeygain.exe.

  2. Test 2Proxyware Registry Run Key Persistence (Windows)

    Expected signal: Sysmon Event ID 13: Registry Value Set — TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Honeygain, Details containing '%APPDATA%\honeygain.exe --token=SIM_TOKEN_12345'. Security Event ID 4657 if registry object access auditing is enabled.

  3. Test 3High-Volume External Connection Simulation (Windows)

    Expected signal: Sysmon Event ID 3: Approximately 80 Network Connection events from powershell.exe to diverse external IPs (8.8.*.1 range) on port 80, appearing within a short time window. DeviceNetworkEvents in MDE will show InitiatingProcessFileName=powershell.exe with high UniqueRemoteIPs count.

  4. Test 4Proxyware Domain DNS Resolution (Linux)

    Expected signal: Sysmon for Linux Event ID 22: DNS Query events for honeygain.com, peer2profit.com, packetstream.io, traffmonetizer.com, earnapp.com. Process audit records for 'host' command execution. Network captures (if packet capture enabled) show DNS queries to these domains from the host's public IP.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1496.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1496Resource Hijacking

Related Sub-techniques

T1496.001Compute HijackingT1496.003SMS PumpingT1496.004Cloud Service Hijacking

Related Techniques

T1496Resource HijackingT1496.001Compute HijackingT1496.003SMS PumpingT1498.001Direct Network FloodT1105Ingress Tool TransferT1543.003Windows ServiceT1053.005Scheduled TaskT1059.001PowerShellT1204.002Malicious FileT1036.005Match Legitimate Resource Name or Location

Same Tactic: Impact

Popular Detections