T1496 CrowdStrike LogScale · LogScale

Detect Resource Hijacking in CrowdStrike LogScale

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName in [ProcessRollup2, SyntheticProcessRollup2, NetworkConnectIP4]
| MinerProcess := FileName = /(?i)\b(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\.exe)?\b/
| MinerCmdLine := CommandLine = /(?i)(stratum\+(tcp|ssl)|stratum2\+tcp|--donate-level|--coin[ =](xmr|monero)|-o\s+pool\.|--url=.*pool|--wallet|mining\.(subscribe|authorize))/
| MiningPoolPort := RemotePort in [3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 14433, 20536]
| SpawnedByLOLBin := MinerProcess = true AND ParentBaseFileName = /(?i)\b(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh)\b/
| filter(MinerProcess = true OR MinerCmdLine = true OR MiningPoolPort = true)
| case {
    SpawnedByLOLBin = true | RiskScore := 95;
    MinerProcess = true AND MinerCmdLine = true | RiskScore := 90;
    MinerProcess = true | RiskScore := 80;
    MinerCmdLine = true | RiskScore := 75;
    MiningPoolPort = true | RiskScore := 70;
    * | RiskScore := 50;
  }
| select([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, RemoteAddress, RemotePort, MinerProcess, MinerCmdLine, MiningPoolPort, SpawnedByLOLBin, RiskScore, @timestamp])
| sort(RiskScore, order=desc)
high severity high confidence

Detects T1496 Resource Hijacking using CrowdStrike Falcon LogScale CQL against Falcon Insight EDR telemetry. Queries ProcessRollup2 and SyntheticProcessRollup2 events for known miner executable names via FileName regex and stratum protocol command-line patterns via CommandLine regex. Queries NetworkConnectIP4 events for outbound connections to mining pool ports via RemotePort set membership. Computes a risk score in a case block: LOLBin-spawned miners score 95, miners with stratum args score 90, standalone miner process names score 80, command-line patterns only score 75, and mining pool port connections score 70. Requires Falcon Insight with process and network telemetry collection enabled.

Data Sources

CrowdStrike Falcon Insight EDRCrowdStrike Falcon LogScale (Next-Gen SIEM)Falcon sensor with network telemetry enabled

Required Tables

ProcessRollup2SyntheticProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • Authorized mining hosts with Falcon sensor deployed — add a filter clause such as ComputerName != /approved-miner-host-pattern/ or use a Falcon exclusion policy scoped to those machine groups
  • Legitimate use of ports 3333 or 4444 by internal security tools, protocol analyzers, or services that share mining pool port ranges — correlate RemoteAddress against threat intel before escalating NetworkConnectIP4 matches
  • Open-source cryptocurrency wallet software such as Electrum or Exodus that connects to ElectrumX or blockchain nodes on ports overlapping with the mining pool port list
Download portable Sigma rule (.yml)

Other platforms for T1496

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XMRig Miner Execution with Stratum Protocol Arguments

    Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.

  2. Test 2Linux Miner Binary Dropped to /tmp and Executed

    Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.

  3. Test 3Outbound Connection to Mining Pool Port

    Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.

  4. Test 4Miner Persistence via Scheduled Task

    Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.

  5. Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)

    Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.

Last updated: 2026-04-14 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1496.001Compute HijackingT1496.002Bandwidth HijackingT1496.003SMS PumpingT1496.004Cloud Service HijackingT1059.001PowerShellT1059.004Unix ShellT1053.003CronT1053.005Scheduled TaskT1105Ingress Tool TransferT1543.002Systemd ServiceT1078.004Cloud AccountsT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections