title: Resource Hijacking (T1496)
id: df00tech-t1496
status: experimental
description: "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking includes cryptocurrency mining (cryptojacking), selling network bandwidth to proxy networks (proxyjacking), generating SMS traffic for profit, and abusing cloud-based messaging or compute services. Adversaries often deploy miners via initial access (phishing, exploitation), lateral movement, or compromised cloud credentials, and may use rootkits or process hollowing to hide mining activity."
references:
  - https://attack.mitre.org/techniques/T1496/
  - https://df00tech.com/detections/T1496
author: df00tech
date: 2026/04/14
tags:
  - attack.t1496
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate cryptocurrency wallet software or personal mining on developer endpoints (rare in corporate environments)
  - Security researchers or red team operators running miner tools in authorized lab environments
  - Network performance testing tools connecting to high-numbered ports that overlap with mining pool ranges
  - Proxy or VPN client software using ports that coincidentally overlap with known mining pool ports
  - Penetration testing scripts containing stratum protocol strings for mining simulation exercises
level: high