Skip to content

DET0540 Multi-Platform Behavioral Detection for Compute Hijacking

Item Value
ID DET0540
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1496.001 (Compute Hijacking)

Analytics

Windows

AN1489

Sustained execution of resource-intensive processes (e.g., cryptocurrency miners), often launched via scheduled tasks, WMI, or PowerShell. These processes frequently establish persistent external connections and attempt to evade detection using masqueraded or renamed binaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Scheduled Job Creation (DC0001) WinEventLog:Security EventCode=4698
Mutable Elements
Field Description
Image The executable name of the miner or wrapper—can vary across campaigns.
DestinationIP May differ depending on the mining pool or proxy server.
ParentProcessName Useful for filtering known-good automation vs malicious task runners.

Linux

AN1490

Unusual long-running processes consuming high CPU cycles (e.g., via ‘top’ or ‘ps’) initiated via cron, shell scripts, or Docker. Connections to known mining pools or DNS over HTTPS usage as evasion.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Flow (DC0078) NSM:Flow Outbound connection to mining pool port (3333, 4444, 5555)
Scheduled Job Creation (DC0001) linux:cron Scheduled execution of unknown or unusual script/binary
Mutable Elements
Field Description
CommandLine The miner’s execution path and options may vary by campaign.
CPUThreshold Environment-specific definition of anomalous CPU usage.

macOS

AN1491

Persistent or background daemons (e.g., plist or launchd jobs) spawning high-CPU processes like xmrig or cpuminer. Outbound encrypted traffic to IPs/domains commonly used by mining proxies.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog launchd or cron spawning mining binaries
Network Traffic Content (DC0085) macos:unifiedlog Persistent outbound connections with consistent periodicity
Mutable Elements
Field Description
launchd.plist_label May be disguised with benign-looking names.
DestinationDomain Varying mining pool or obfuscated destination.

Containers

AN1492

Ephemeral or unauthorized container instantiation using public images (e.g., from DockerHub) that initiate high CPU usage shortly after startup. Often scheduled via Kubernetes or Docker socket abuse.

Log Sources
Data Component Name Channel
Container Creation (DC0072) containerd:events create
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Flow (DC0078) NSM:Flow Outbound traffic to mining pool upon container launch
Mutable Elements
Field Description
ImageSource May vary depending on where the image is pulled from (registry or custom URL).
Namespace Helps differentiate attacker-created namespaces.

IaaS

AN1493

Unauthorized instance creation in unmonitored or unused regions. Burst of compute-intensive jobs in spot instances or sudden spike in resource usage in legitimate VMs.

Log Sources
Data Component Name Channel
Instance Start (DC0080) AWS:CloudTrail RunInstances
Host Status (DC0018) AWS:CloudWatch Unusual CPU burst or metric anomalies
Mutable Elements
Field Description
Region Adversaries may deploy resources in rarely used or misconfigured regions.
TagKey Used to evade detection with benign-looking tags or names.