# T1496 Resource Hijacking

-----------------------------------------------------------------------

## Technique Description

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. 

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR)

## Technique Detection

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.

-----------------------------------------------------------------------

### Tactics:

  *   Impact

### Platforms:

  * Windows

  * IaaS

  * Linux

  * macOS

  * Containers

### Data Sources:

  * **Process:** Process Creation

  * **Sensor Health:** Host Status

  * **Command:** Command Execution

  * **File:** File Creation

  * **Network Traffic:** Network Connection Creation

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has deployed XMRig Docker images to mine cryptocurrency.(Citation: Lacework TeamTNT May 2021)(Citation: Cado Security TeamTNT Worm August 2020) | 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used XMRIG to mine cryptocurrency on victim systems.(Citation: RedCanary Mockingbird May 2020)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has distributed cryptomining malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1496)

  * [Unit 42 Hildegard Malware](https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/), Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

  * [Cloudsploit - Unused Aws Regions](https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc), CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.

  * [Kaspersky Lazarus Under The Hood Blog 2017](https://securelist.com/lazarus-under-the-hood/77908/), GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.

  * [Trend Micro Exposed Docker Apis](https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html), Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021.

  * [Trend Micro War Of Crypto Miners](https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html), Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021.

  * [Gobotkr](https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/), Zuzana Hromcová. (2019, July 8). Malicious campaign targets South Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT 28 |  | |

## Detection Blindspots

- Analytic may not appear in logs and resource utilization may be done at the MP Server level or on an endpoint itself.

## Analytical References

  * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md
* https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
* https://link.springer.com/article/10.1057/s41284-019-00194-6#Sec20

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources.
- Monitor for suspicious use of network resources associated with cryptocurrency mining software.
- Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.

#### Analytic 1

  * **Information:** 'ProcDump -- Command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. '

  * **Source:** 'Endpoint'

  * **Tool:** 'Procdump'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```ProcDump <process>```

#### Analytic 2

  * **Information:** '/var/log/secure AND /var/log/audit/audit.log'

  * **Source:** 'Endpoint'

  * **Tool:** ''

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Instert Query```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------


