DET0028 Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes

Item	Value
ID	DET0028
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1496.002 (Bandwidth Hijacking)

Analytics

Windows

AN0080

Processes invoking network-intensive child processes or uploading large data volumes, often from non-standard user or system contexts, with evidence of long-duration TCP/UDP sessions to unusual destinations.

Log Sources

Data Component	Name	Channel
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
TimeWindow	Bandwidth anomalies should be assessed over 5-15 min or hourly windows depending on environment size.
DestinationCountry	Some organizations whitelist traffic to countries based on geolocation.
ProcessName	Legitimate processes using high bandwidth (e.g., backup tools) must be excluded.

Linux

AN0081

User-initiated processes generating sustained outbound traffic over common or non-standard ports, often outside business hours, potentially linked to scanning or proxyjacking. Includes curl, wget, masscan, or proxy clients.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve calls with high-frequency or known bandwidth-intensive tools
Network Traffic Flow (DC0078)	NSM:Flow	large outbound data flows or long-duration connections

Mutable Elements

Field	Description
ToolPattern	Can be tuned for specific bandwidth abuse tools (e.g., proxychains, 3proxy).
TrafficRateThreshold	Baseline deviation thresholds must be environment-specific.

macOS

AN0082

Suspicious long-lived or high-throughput connections by non-Apple signed apps or processes not commonly associated with network uploads. Detect background processes using open sockets for data egress.

Log Sources

Data Component	Name	Channel
Network Traffic Content (DC0085)	macos:unifiedlog	process + network metrics correlation for bandwidth saturation
Process Creation (DC0032)	macos:unifiedlog	exec or spawn calls to proxy tools or torrent clients

Mutable Elements

Field	Description
ProcessSignedStatus	Non-signed or non-Apple signed binaries can raise confidence levels.
DataRateThreshold	Observed data rate per process over time (e.g., MB/s).

Containers

AN0083

Containerized apps or sidecar containers generating excessive outbound traffic or being leveraged for proxy networks. Includes sudden increases in network interface stats, especially in dormant or low-util apps.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	containers:osquery	bandwidth-intensive command execution from within a container namespace
Network Traffic Content (DC0085)	docker:stats	unusual network TX/RX byte deltas

Mutable Elements

Field	Description
ContainerBaselineNetworkUsage	Baseline per container must be defined by app purpose and normal traffic.
ImageName	Certain image names or registries may be prone to abuse (e.g., public image hosting mining or proxyware).

IaaS

AN0084

Virtual instances or workloads generating sustained outbound data rates, often to TOR, VPN, or proxy endpoints. Often coincides with unusual IAM usage or deployed scripts (e.g., cron jobs using proxy clients).

Log Sources

Data Component	Name	Channel
Instance Start (DC0080)	AWS:CloudTrail	StartInstances
Network Traffic Flow (DC0078)	AWS:VPCFlowLogs	egress > 90th percentile or frequent connection reuse

Mutable Elements

Field	Description
InstanceType	High-throughput instance types are more likely to be targeted for hijacking.
TrafficEgressThreshold	Customize detection thresholds based on cloud provider quotas or billing alerts.