T1496 IBM QRadar · QRadar

Detect Resource Hijacking in IBM QRadar

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime,'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Host IP",
  username AS "User",
  "Process Name" AS "Process",
  "Command" AS "Command Line",
  "Parent Process Name" AS "Parent Process",
  destinationip AS "Destination IP",
  destinationport AS "Destination Port",
  QIDNAME(qid) AS "Event Name",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  CASE
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%t-rex%','%kawpowminer%','%teamredminer%')
      AND LOWER("Parent Process Name") ILIKE ANY ('%powershell%','%cmd.exe%','%wscript%','%cscript%','%mshta%','%bash%') THEN 95
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nbminer%','%lolminer%','%gminer%','%cgminer%','%xmr-stak%','%poolminer%')
      AND LOWER("Command") ILIKE ANY ('%stratum%','%--wallet%','%mining.subscribe%','%mining.authorize%') THEN 90
    WHEN LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%t-rex%','%kawpowminer%','%teamredminer%') THEN 80
    WHEN LOWER("Command") ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%--donate-level%','%--coin xmr%','%--coin monero%','%-o pool.%','%--wallet%','%mining.subscribe%') THEN 75
    WHEN destinationport IN (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536)
      AND NOT INCIDR(destinationip,'10.0.0.0/8')
      AND NOT INCIDR(destinationip,'172.16.0.0/12')
      AND NOT INCIDR(destinationip,'192.168.0.0/16')
      AND NOT INCIDR(destinationip,'127.0.0.0/8') THEN 70
    ELSE 50
  END AS "Risk Score"
FROM events
WHERE
  LOWER("Process Name") ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%ethminer%','%nheqminer%','%t-rex%','%nbminer%','%phoenixminer%','%lolminer%','%gminer%','%bfgminer%','%cgminer%','%xmr-stak%','%poolminer%','%kawpowminer%','%teamredminer%')
  OR LOWER("Command") ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%stratum2+tcp%','%--donate-level%','%--coin xmr%','%--coin monero%','%-o pool.%','%--url=%pool%','%-u wallet.%','%--wallet%','%mining.subscribe%','%mining.authorize%')
  OR (
    destinationport IN (3333,4444,5555,7777,9999,14444,45700,3256,14433,20536)
    AND NOT INCIDR(destinationip,'10.0.0.0/8')
    AND NOT INCIDR(destinationip,'172.16.0.0/12')
    AND NOT INCIDR(destinationip,'192.168.0.0/16')
    AND NOT INCIDR(destinationip,'127.0.0.0/8')
    AND NOT LOWER("Process Name") ILIKE ANY ('%chrome.exe%','%msedge.exe%','%firefox.exe%','%iexplore.exe%','%outlook.exe%','%teams.exe%')
  )
LAST 1440 MINUTES
ORDER BY "Risk Score" DESC, starttime DESC
high severity high confidence

Detects T1496 Resource Hijacking in QRadar AQL against normalized Windows and Linux event properties. Matches known miner process names in the DSM-normalized Process Name property, mining command-line patterns in the Command property, and outbound connections to mining pool ports via destinationport with CIDR exclusions for RFC1918 space. Risk scoring escalates from LOLBin-spawned miners (95) to standalone network port matches (70). Requires Windows Security, Sysmon, and Linux OS DSMs configured to normalize Process Name, Command, and Parent Process Name custom event properties.

Data Sources

IBM QRadar SIEMWindows Security Event Log DSMMicrosoft Sysmon DSMLinux OS DSMQRadar Network Insights (for flow-based port detection)

Required Tables

events

False Positives & Tuning

  • Authorized mining infrastructure on known hosts — add those hostnames to a QRadar reference set and prepend NOT sourceip INREFERENCESET(ref_set_name) to the WHERE clause
  • Penetration testing engagements simulating miner deployment to validate detection coverage — coordinate pre-approved test windows and filter by tester source IP
  • Portfolio or crypto trading applications that maintain persistent connections to exchange APIs on ports overlapping with mining pool ports such as 9999 or 4444
Download portable Sigma rule (.yml)

Other platforms for T1496

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XMRig Miner Execution with Stratum Protocol Arguments

    Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.

  2. Test 2Linux Miner Binary Dropped to /tmp and Executed

    Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.

  3. Test 3Outbound Connection to Mining Pool Port

    Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.

  4. Test 4Miner Persistence via Scheduled Task

    Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.

  5. Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)

    Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.

Last updated: 2026-04-14 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1496.001Compute HijackingT1496.002Bandwidth HijackingT1496.003SMS PumpingT1496.004Cloud Service HijackingT1059.001PowerShellT1059.004Unix ShellT1053.003CronT1053.005Scheduled TaskT1105Ingress Tool TransferT1543.002Systemd ServiceT1078.004Cloud AccountsT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections