T1496 Splunk · SPL

Detect Resource Hijacking in Splunk

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/

SPL Detection Query

Splunk (SPL)
spl 
index=* (
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  OR sourcetype="WinEventLog:Security"
  OR sourcetype="syslog"
)
(
  (
    (EventCode=1 OR EventCode=4688)
    (
      Image IN ("*xmrig*", "*minerd*", "*cpuminer*", "*ethminer*", "*nheqminer*",
                "*t-rex*", "*nbminer*", "*phoenixminer*", "*lolminer*", "*gminer*",
                "*bfgminer*", "*cgminer*", "*xmr-stak*", "*poolminer*")
      OR Process_Name IN ("*xmrig*", "*minerd*", "*cpuminer*", "*ethminer*")
      OR CommandLine IN ("*stratum+tcp*", "*stratum+ssl*", "*stratum2+tcp*",
                         "*mining.subscribe*", "*mining.authorize*",
                         "*--donate-level*", "*--coin xmr*", "*--coin monero*")
      OR CommandLine IN ("*-o pool.*", "*--url=*pool*", "*-u wallet.*", "*--wallet*")
    )
  )
  OR
  (
    EventCode=3
    (DestinationPort IN ("3333", "4444", "5555", "7777", "9999", "14444", "45700", "3256", "14433", "20536"))
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    NOT (Image IN ("*chrome.exe", "*msedge.exe", "*firefox.exe", "*iexplore.exe", "*outlook.exe", "*teams.exe"))
  )
)
| eval EventType=case(
    EventCode=1 OR EventCode=4688, "ProcessCreate",
    EventCode=3, "NetworkConnect",
    true(), "Unknown"
  )
| eval MinerProcess=if(
    match(lower(Image), "(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer)"),
    1, 0
  )
| eval MinerCommandLine=if(
    match(lower(CommandLine), "(stratum\+tcp|stratum\+ssl|mining\.subscribe|mining\.authorize|donate-level|--coin xmr|--coin monero|-o pool\.|--wallet)"),
    1, 0
  )
| eval MiningPoolPort=if(EventCode=3 AND DestinationPort IN ("3333","4444","5555","7777","9999","14444","45700","14433","20536"), 1, 0)
| eval SpawnedByScript=if(
    match(lower(ParentImage), "(powershell|cmd\.exe|wscript|cscript|mshta|bash|sh)") AND MinerProcess=1,
    1, 0
  )
| eval RiskScore=case(
    SpawnedByScript=1, 95,
    MinerProcess=1 AND MinerCommandLine=1, 90,
    MinerProcess=1, 80,
    MinerCommandLine=1, 75,
    MiningPoolPort=1, 70,
    true(), 50
  )
| where RiskScore >= 70
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DestinationIp, DestinationPort, EventType,
        MinerProcess, MinerCommandLine, MiningPoolPort, SpawnedByScript, RiskScore
| sort - RiskScore _time
high severity high confidence

Detects cryptocurrency mining and resource hijacking using Sysmon Event ID 1 (Process Create), Security Event ID 4688, and Sysmon Event ID 3 (Network Connection). Evaluates process image names, command-line stratum protocol arguments, and outbound connections to known mining pool ports. Calculates a RiskScore to prioritize events — highest risk for miners spawned by script interpreters or LOLBins (95), lowest for bare port-based network detections (70). Filters common browser processes to reduce noise on mining pool ports.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationCommand: Command ExecutionSysmon Event IDs 1 and 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Legitimate cryptocurrency wallet software or personal mining on developer endpoints
  • Security researchers or red team operators running miner tools in authorized lab environments
  • Network performance testing tools using ports that overlap with known mining pool ranges
  • Proxy or VPN clients that connect on ports coincidentally matching mining pool ranges
  • Penetration testing toolkits with stratum protocol simulation components
Download portable Sigma rule (.yml)

Other platforms for T1496

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XMRig Miner Execution with Stratum Protocol Arguments

    Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.

  2. Test 2Linux Miner Binary Dropped to /tmp and Executed

    Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.

  3. Test 3Outbound Connection to Mining Pool Port

    Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.

  4. Test 4Miner Persistence via Scheduled Task

    Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.

  5. Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)

    Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.

Last updated: 2026-04-14 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1496.001Compute HijackingT1496.002Bandwidth HijackingT1496.003SMS PumpingT1496.004Cloud Service HijackingT1059.001PowerShellT1059.004Unix ShellT1053.003CronT1053.005Scheduled TaskT1105Ingress Tool TransferT1543.002Systemd ServiceT1078.004Cloud AccountsT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections