Detect Resource Hijacking in Microsoft Sentinel
Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1496 Resource Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1496/
KQL Detection Query
let KnownMinerProcessNames = dynamic([
"xmrig", "xmrig.exe", "minerd", "minerd.exe", "cpuminer", "cpuminer.exe",
"ethminer", "ethminer.exe", "nheqminer", "nheqminer.exe", "t-rex", "t-rex.exe",
"nbminer", "nbminer.exe", "phoenixminer", "lolminer", "gminer", "gminer.exe",
"bfgminer", "cgminer", "cgminer.exe", "claymore", "excavator", "teamredminer",
"kawpowminer", "poolminer", "stratum", "xmr-stak", "xmr-stak.exe"
]);
let MiningPoolPorts = dynamic([3333, 4444, 5555, 7777, 9999, 14444, 45700, 3256, 8008, 1080, 9200, 14433, 20536]);
let MiningPoolDomains = dynamic([
"pool.minexmr.com", "xmrpool.eu", "pool.supportxmr.com", "monerohash.com",
"nanopool.org", "f2pool.com", "ethermine.org", "2miners.com", "hiveon.net",
"nicehash.com", "prohashing.com", "antpool.com", "btc.com", "viabtc.com",
"zpool.ca", "coinhive.com", "jsecoin.com", "crypto-loot.com"
]);
let MinerCommandPatterns = dynamic([
"stratum+tcp", "stratum+ssl", "stratum2+tcp",
"-o pool.", "--url=", "-u wallet.", "--wallet",
"--donate-level", "--coin xmr", "--coin monero",
"mining.subscribe", "mining.authorize"
]);
// Branch 1: Known miner process names
let MinerProcessEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownMinerProcessNames)
or ProcessCommandLine has_any (MinerCommandPatterns)
| extend DetectionSource = "MinerProcess"
| extend RiskScore = 90
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionSource, RiskScore;
// Branch 2: Network connections to mining pool ports/domains
let MinerNetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (MiningPoolPorts)
or RemoteUrl has_any (MiningPoolDomains)
or RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "outlook.exe", "teams.exe")
| extend DetectionSource = "MinerNetworkConn"
| extend RiskScore = 70
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionSource, RiskScore;
// Branch 3: Suspicious process spawning miner-related child processes
let MinerChildProcess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "bash", "sh")
| where FileName has_any (KnownMinerProcessNames)
or ProcessCommandLine has_any (MinerCommandPatterns)
| extend DetectionSource = "MinerSpawnedByLOLBin"
| extend RiskScore = 95
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionSource, RiskScore;
// Union all branches
union MinerProcessEvents, MinerNetworkEvents, MinerChildProcess
| summarize RiskScore=max(RiskScore), DetectionSources=make_set(DetectionSource),
CommandLines=make_set(ProcessCommandLine)
by Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName
| sort by RiskScore desc, Timestamp descDetects resource hijacking (cryptomining, proxyjacking) across three signal branches: (1) known miner process names and command-line patterns including stratum protocol arguments and wallet parameters; (2) outbound network connections to common mining pool ports (3333, 4444, 5555, etc.) and known pool domains; (3) scripting engines or LOLBins spawning miner processes. Results are unioned and deduplicated with a risk score to help analysts prioritize. Uses DeviceProcessEvents and DeviceNetworkEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cryptocurrency wallet software or personal mining on developer endpoints (rare in corporate environments)
- Security researchers or red team operators running miner tools in authorized lab environments
- Network performance testing tools connecting to high-numbered ports that overlap with mining pool ranges
- Proxy or VPN client software using ports that coincidentally overlap with known mining pool ports
- Penetration testing scripts containing stratum protocol strings for mining simulation exercises
Other platforms for T1496
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1XMRig Miner Execution with Stratum Protocol Arguments
Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.
- Test 2Linux Miner Binary Dropped to /tmp and Executed
Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.
- Test 3Outbound Connection to Mining Pool Port
Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.
- Test 4Miner Persistence via Scheduled Task
Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.
- Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)
Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.
References (9)
- https://attack.mitre.org/techniques/T1496/
- https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/
- https://www.trendmicro.com/en_us/research/23/l/teamtnt-returns-with-new-cloud-attacks.html
- https://unit42.paloaltonetworks.com/watchdog-cryptojacking/
- https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-or-serious-threat/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md
- https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
- https://xmrig.com/docs/miner/command-line-options
- https://www.aquasec.com/blog/cryptomining-attacks-targeting-cloud-native-environments/
Unlock Pro Content
Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.