DET0267 Resource Hijacking Detection Strategy

Item	Value
ID	DET0267
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1496 (Resource Hijacking)

Analytics

Windows

AN0741

Persistent high CPU utilization combined with suspicious command-line execution (e.g., mining tools or obfuscated scripts) and outbound connections to mining/proxy networks.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Host Status (DC0018)	Windows:perfmon	High sustained CPU usage by a single process
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
TimeWindow	Duration threshold for sustained CPU activity (e.g., >15 minutes)
DestinationIPList	Known mining pool IPs or proxy service endpoints
ExecutableNamePatterns	Regex list of suspicious or known mining tools

Linux

AN0742

Abnormal CPU/memory usage by unauthorized processes with outbound connections to known mining pools or using cron jobs/scripts to maintain persistence.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve
Host Status (DC0018)	linux:procfs	Sustained high /proc/[pid]/stat usage
Network Traffic Flow (DC0078)	NSM:Flow	Outbound traffic to mining pools or proxies

Mutable Elements

Field	Description
ProcessPath	Location of resource-heavy binaries (e.g., /tmp/.xmr)
CPUThreshold	Acceptable baseline for CPU overuse
KnownMiningDomains	List of domains/IPs for known cryptomining services

macOS

AN0743

Background launch agents/daemons with high CPU use and network access to external mining services.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	launchctl activity and process creation
Network Traffic Content (DC0085)	macos:unifiedlog	Persistent outbound traffic to mining domains

Mutable Elements

Field	Description
launchdLabel	Suspicious or unknown launch agents
TrafficVolumeThreshold	Outbound bandwidth usage thresholds

IaaS

AN0744

Sudden spikes in cloud VM CPU usage with outbound traffic to mining pools and unauthorized instance creation.

Log Sources

Data Component	Name	Channel
Instance Start (DC0080)	AWS:CloudTrail	RunInstances
Host Status (DC0018)	AWS:CloudWatch	Sustained EC2 CPU usage above normal baseline
Network Traffic Flow (DC0078)	AWS:VPCFlowLogs	Outbound flow logs to known mining pools

Mutable Elements

Field	Description
CPUUtilizationThreshold	CloudWatch alarm trigger for sustained CPU
UnusualRegionList	Instances launched in unexpected regions

Containers

AN0745

High CPU usage by unauthorized containers running mining binaries or public proxy tools.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	containerd:events	New container with suspicious image name or high resource usage
Host Status (DC0018)	prometheus:metrics	Container CPU/Memory usage exceeding threshold
Network Traffic Flow (DC0078)	container:cni	Outbound network traffic to mining proxies

Mutable Elements

Field	Description
ImageName	Suspicious or unknown container image used
CPUQuotaThreshold	Container-level resource limits

SaaS

AN0746

Abuse of cloud messaging platforms to send mass spam or consume quota-based resources.

Log Sources

Data Component	Name	Channel
Cloud Service Modification (DC0069)	m365:unified	SendMessage
Application Log Content (DC0038)	saas:application	High-volume API calls or traffic via messaging or webhook service

Mutable Elements

Field	Description
MessageRateThreshold	Max allowable outbound message rate per user/account
APIKeyList	Known authorized API clients for messaging usage