title: Bandwidth Hijacking (T1496.002)
id: df00tech-t1496-002
status: experimental
description: "Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. This includes proxyjacking (selling victim bandwidth and IP address to proxyware services such as Honeygain, IPRoyal Pawns, Peer2Profit, PacketStream, and Traffmonetizer), participating in botnets for network denial of service campaigns, seeding malicious torrents, and conducting internet-wide scanning using victim systems. Proxyware agents installed on victim machines route third-party traffic through the victim's IP address, generating revenue for the adversary while consuming the victim's bandwidth and potentially implicating the victim's IP in illegal activity."
references:
  - https://attack.mitre.org/techniques/T1496/002/
  - https://df00tech.com/detections/T1496.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1496.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate voluntary installation of proxyware by the endpoint user who consented to share bandwidth for reward (common in BYOD environments)
  - Security researchers testing proxyware tools in an isolated lab environment
  - "CDN edge nodes, proxy appliances, or load balancers with high legitimate external connection volumes that match domain keywords"
  - Peer-to-peer collaboration or conferencing applications (WebRTC-based) whose domain names partially match proxyware keyword patterns
  - Authorized penetration testing tools or network scanning appliances generating high external connection counts
level: medium