T1496 Sumo Logic CSE · Sumo

Detect Resource Hijacking in Sumo Logic CSE

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_index=sec_record_*
| where metadata_deviceEventId in ("1","4688","3")
| where (
    (metadata_deviceEventId in ("1","4688") and (
      matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|t-rex|nbminer|phoenixminer|lolminer|gminer|bfgminer|cgminer|xmr-stak|poolminer|kawpowminer|teamredminer)(\\.exe)?")
      or matches(commandLine,"(?i)(stratum\\+(tcp|ssl)|stratum2\\+tcp|--donate-level|--coin[ =](xmr|monero)|-o pool\\.|--url=|--wallet|mining\\.(subscribe|authorize))")
    ))
    or (metadata_deviceEventId = "3"
      and dstPort in ("3333","4444","5555","7777","9999","14444","45700","3256","14433","20536")
      and not matches(dstIp,"^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
      and not matches(baseImage,"(?i)(chrome\\.exe|msedge\\.exe|firefox\\.exe|iexplore\\.exe|outlook\\.exe|teams\\.exe)")
    )
  )
| eval RiskScore = if(
    matches(parentBaseImage,"(?i)(powershell|cmd\\.exe|wscript|cscript|mshta|bash|sh)")
    and matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)"),
    95,
    if(matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)")
       and matches(commandLine,"(?i)(stratum|wallet|mining)"),
       90,
       if(matches(baseImage,"(?i)(xmrig|minerd|cpuminer|ethminer|nheqminer|nbminer|lolminer|gminer|cgminer|xmr-stak|poolminer)"),80,70)
    )
  )
| where RiskScore >= 70
| fields device_hostname, user_username, baseImage, commandLine, parentBaseImage, dstIp, dstPort, RiskScore, metadata_deviceEventId
| sort by RiskScore desc
high severity high confidence

Detects T1496 Resource Hijacking against the Sumo Logic Cloud SIEM Enterprise normalized record index (sec_record_*). Queries Sysmon EID 1 / Windows EID 4688 process creation records for known miner executable names and stratum protocol command-line patterns via the CSE normalized baseImage and commandLine fields. Queries Sysmon EID 3 network connection records for outbound mining pool port connections via dstPort with RFC1918 CIDR and browser exclusions. Risk scores LOLBin-spawned miners at 95, miners with stratum args at 90, standalone miner names at 80, and port-only matches at 70. Requires Sumo Logic CSE with Windows and Sysmon event sources configured.

Data Sources

Sumo Logic Cloud SIEM EnterpriseWindows Event Log via Sumo Logic Installed CollectorSysmon via Sumo Logic Installed CollectorLinux Syslog via Sumo Logic collector

Required Tables

sec_record_*

False Positives & Tuning

  • Mining software legitimately deployed on organization-owned mining hardware — create a CSE suppression rule targeting device_hostname values for approved mining hosts
  • Cryptocurrency daemon software such as monerod or bitcoind running on authorized endpoints that trigger on port or command-line keyword matches
  • Red team or purple team exercises executing miner binaries in sandboxed environments as part of detection validation — coordinate suppression windows with the security team
Download portable Sigma rule (.yml)

Other platforms for T1496

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XMRig Miner Execution with Stratum Protocol Arguments

    Expected signal: Sysmon Event ID 1 (or Security Event ID 4688): Process Create for cmd.exe with CommandLine containing 'stratum+tcp', 'pool.minexmr.com', '--donate-level', and '--coin xmr'. The echo command generates no network connection but the command-line telemetry fully triggers the detection.

  2. Test 2Linux Miner Binary Dropped to /tmp and Executed

    Expected signal: Auditd or Sysmon for Linux: file creation event for /tmp/xmrig (execve or open syscall), process execution event showing Image=/tmp/xmrig. Linux audit log: SYSCALL records for execve with /tmp/xmrig. EDR: DeviceFileEvents for /tmp/xmrig creation, DeviceProcessEvents for /tmp/xmrig execution.

  3. Test 3Outbound Connection to Mining Pool Port

    Expected signal: Sysmon Event ID 3: Network Connection with DestinationPort=3333, Image=powershell.exe, DestinationIp=127.0.0.1. The connection fails but the attempt is logged. In production, the query filters 127.0.0.1 — modify DestinationIp to an external test IP if available in your lab.

  4. Test 4Miner Persistence via Scheduled Task

    Expected signal: Security Event ID 4698: A scheduled task was created, with TaskContent XML showing the action command line including 'stratum+tcp'. Sysmon Event ID 1 on next logon: cmd.exe executing with the stratum-like command line. Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks entry created.

  5. Test 5Cloud Credential Abuse Simulation (AWS CLI Reconnaissance)

    Expected signal: AWS CloudTrail: DescribeInstances and DescribeInstanceTypes API calls logged with the caller's IAM identity, source IP, and timestamp. These reconnaissance calls immediately precede RunInstances in real cryptojacking campaigns. Process telemetry: Sysmon Event ID 1 for aws.exe with describe-instances arguments.

Last updated: 2026-04-14 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1496 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1496.001Compute HijackingT1496.002Bandwidth HijackingT1496.003SMS PumpingT1496.004Cloud Service HijackingT1059.001PowerShellT1059.004Unix ShellT1053.003CronT1053.005Scheduled TaskT1105Ingress Tool TransferT1543.002Systemd ServiceT1078.004Cloud AccountsT1190Exploit Public-Facing Application

Same Tactic: Impact

Popular Detections