T1496 Google Chronicle · YARA-L

Detect Resource Hijacking in Google Chronicle

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1496_cryptominer_process_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects known cryptominer process names and mining command-line patterns. T1496 Resource Hijacking."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?$`) or
      re.regex($e.target.process.command_line,
        `(?i)(stratum\+(tcp|ssl)|stratum2\+tcp|--donate-level|--coin[ =](xmr|monero)|-o pool\.|--url=.*pool|--wallet|mining\.(subscribe|authorize))`)
    )

  condition:
    $e
}

rule t1496_cryptominer_lolbin_spawn {
  meta:
    author = "Detection Engineering"
    description = "Detects cryptominer process spawned by scripting LOLBins, indicating script-based dropper activity. T1496 + T1059."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path,
      `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh)$`)
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?$`) or
      re.regex($e.target.process.command_line,
        `(?i)(stratum\+(tcp|ssl)|--donate-level|--coin[ =](xmr|monero)|-o pool\.|--wallet|mining\.(subscribe|authorize))`)
    )

  condition:
    $e
}

rule t1496_cryptominer_mining_pool_network {
  meta:
    author = "Detection Engineering"
    description = "Detects outbound connections to known cryptocurrency mining pool ports, excluding browsers. T1496 Resource Hijacking."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.target.port in (3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 14433, 20536)
    not net.ip_in_range_cidr($net.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($net.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($net.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($net.target.ip, "127.0.0.0/8")
    not re.regex($net.principal.process.file.full_path,
      `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|outlook\.exe|teams\.exe)$`)

  condition:
    $net
}
high severity high confidence

Three Chronicle YARA-L 2.0 rules covering T1496 Resource Hijacking. Rule 1 (HIGH) matches PROCESS_LAUNCH events for known miner executable names and stratum command-line patterns using UDM target.process fields. Rule 2 (CRITICAL) detects miners spawned by LOLBins using UDM principal.process for the parent and target.process for the child — the highest-fidelity signal. Rule 3 (MEDIUM confidence) detects NETWORK_CONNECTION events to mining pool ports with CIDR exclusions for RFC1918 and browser process filtering via principal.process. Deploy all three rules for full behavioral coverage across the kill chain.

Data Sources

Google Chronicle SIEMChronicle UDM (Unified Data Model)Windows Event Forwarding with Sysmon via Chronicle forwarderCrowdStrike Falcon Chronicle feedCarbon Black Cloud Chronicle feed

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION)

False Positives & Tuning

  • Authorized mining workloads in GCP or on-premises with valid business justification — add host principal values to a Chronicle reference list and filter with $e.principal.hostname in %approved_mining_hosts
  • Cryptocurrency development toolchains using stratum protocol for local mining simulations during blockchain application development or testnet validation
  • VPN or tunneling applications that use ports 3333 or 4444 for their control channel, triggering the network rule without process context to disambiguate — validate with principal.process and target.ip enrichment
Download portable Sigma rule (.yml)

Other platforms for T1496

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XMRig Miner Execution with Stratum Protocol Arguments

    Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.

  2. Test 2Linux Miner Binary Dropped to /tmp and Executed

    Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.

  3. Test 3Outbound Connection to Mining Pool Port

    Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.

  4. Test 4Miner Persistence via Scheduled Task

    Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.

  5. Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)

    Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.

Last updated: 2026-04-14 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1496.001Compute HijackingT1496.002Bandwidth HijackingT1496.003SMS PumpingT1496.004Cloud Service HijackingT1059.001PowerShellT1059.004Unix ShellT1053.003CronT1053.005Scheduled TaskT1105Ingress Tool TransferT1543.002Systemd ServiceT1078.004Cloud AccountsT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections