Detect Resource Hijacking in Elastic Security
Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1496 Resource Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1496/
Elastic Detection Query
any where
(
(
event.category == "process" and event.type == "start" and
(
process.name in~ ("xmrig","xmrig.exe","minerd","minerd.exe","cpuminer","cpuminer.exe","ethminer","ethminer.exe","nheqminer","nheqminer.exe","t-rex","t-rex.exe","nbminer","nbminer.exe","phoenixminer","lolminer","gminer","gminer.exe","bfgminer","cgminer","cgminer.exe","xmr-stak","xmr-stak.exe","poolminer","kawpowminer","teamredminer") or
process.command_line like~ ("*stratum+tcp*","*stratum+ssl*","*stratum2+tcp*","*--donate-level*","*--coin xmr*","*--coin monero*","*-o pool.*","*--url=*","*-u wallet.*","*--wallet*","*mining.subscribe*","*mining.authorize*")
)
) or
(
event.category == "network" and event.type in ("connection","start") and
destination.port in (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536) and
not cidrmatch(destination.ip,"10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","127.0.0.0/8") and
not process.name in~ ("chrome.exe","msedge.exe","firefox.exe","iexplore.exe","outlook.exe","teams.exe")
)
)Detects T1496 Resource Hijacking across process and network event categories using ECS fields. Branch 1 matches known cryptominer executable names via process.name. Branch 2 matches stratum protocol URIs, pool connection flags, and coin specifiers via process.command_line wildcard patterns. Branch 3 identifies outbound connections to mining pool ports excluding RFC1918 and browser processes. Requires Elastic Endpoint Security or Winlogbeat+Sysmon for process telemetry and Elastic Endpoint or network integration for connection events.
Data Sources
Required Tables
False Positives & Tuning
- Authorized cryptocurrency mining rigs operating in a managed mining farm where xmrig or nbminer is sanctioned business software
- Blockchain developers testing stratum protocol implementations or running local testnet mining nodes during Web3 application development
- Security research sandboxes intentionally executing miner samples for detection engineering validation or incident response training
Other platforms for T1496
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1XMRig Miner Execution with Stratum Protocol Arguments
Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.
- Test 2Linux Miner Binary Dropped to /tmp and Executed
Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.
- Test 3Outbound Connection to Mining Pool Port
Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.
- Test 4Miner Persistence via Scheduled Task
Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.
- Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)
Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.
References (9)
- https://attack.mitre.org/techniques/T1496/
- https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
- https://www.trendmicro.com/en_us/research/23/l/teamtnt-returns-with-new-cloud-attacks.html
- https://unit42.paloaltonetworks.com/watchdog-cryptojacking/
- https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-or-serious-threat/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md
- https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
- https://xmrig.com/docs/miner/command-line-options
- https://www.aquasec.com/blog/cryptomining-attacks-targeting-cloud-native-environments/
Unlock Pro Content
Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.