title: Compute Hijacking (T1496.001)
id: df00tech-t1496-001
status: experimental
description: "Adversaries may leverage the compute resources of co-opted systems to mine cryptocurrency or perform other resource-intensive tasks, degrading system performance and hosted service availability. The most prevalent form is unauthorized cryptocurrency mining (cryptojacking), typically targeting Monero (XMR) via XMRig or derivative tools due to CPU-friendliness and transaction privacy. Threat actors including TeamTNT, Blue Mockingbird, Rocke, APT41, Kinsing, and Hildegard have deployed miners as follow-on payloads targeting Windows endpoints, Linux servers, and containerized environments. Miners connect to mining pools over stratum protocol (commonly ports 3333, 4444, 14444) and are often deployed alongside rootkits, cron-based persistence, and competing miner kill scripts."
references:
  - https://attack.mitre.org/techniques/T1496/001/
  - https://df00tech.com/detections/T1496.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1496.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized cryptocurrency mining operations or research environments where staff legitimately run miners
  - Security researchers testing miner detection capabilities using XMRig or similar tools in sandboxed environments
  - "Port 3333 used by legitimate development tools or custom applications (e.g., some IoT platforms, local proxy servers)"
  - Penetration testers running authorized mining simulations as part of red team engagements with documented change tickets
  - Academic HPC (High Performance Computing) workloads that use similar CPU-maximizing flags but for legitimate compute tasks
level: high