Resource Hijacking
Info
ID: AT-IM005
Tactic: Impact
Sub-techniques: Bandwidth Hijacking, Compute Hijacking, Cryptomining
Platforms: Linux, macOS, Windows, AWS, Azure, GCP, Container Platforms
Impact Type: Availability
Version: 1.0
Resource Hijacking
Adversaries may co-opt application or infrastructure resources (compute, memory, bandwidth) for unauthorized purposes, such as cryptomining or botnets. This exploitation burdens the target environment with unplanned resource costs or performance degradation, and it can mask additional malicious activity behind legitimate workloads - particularly in cloud-scale environments that automatically scale capacity.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Deploy Cloud Detection & Response (CADR) agents that throttle processes exhibiting prolonged abnormal CPU, GPU, or memory use. |
| M1030 | Network Segmentation | Egress-restrict compute nodes so only sanctioned domains/ports are reachable; block common mining pool port ranges (3333, 4444) at firewall/WAF layers. |
| M1026 | Privileged Account Management | Require just-in-time (JIT) privileges for launching new compute resources or modifying auto-scaling groups, enforce MFA on cloud-control APIs. |
| M1041 | Encrypt Sensitive Information | Use signed workload images and integrity attestation to ensure only validated container/VM images are deployed, preventing tampered mining images from running. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0009 | Process: Process Metadata | Continuously profile CPU/GPU utilisation per application, raise an alert when a non-whitelisted binary sustains unusually high CPU or spawns excessive GPU threads – a frequent indicator of cryptomining or bot workloads. |
| DS0029 | Network Traffic Flow | Detect persistent outbound connections to known mining-pool domains, IPs, or stratum protocols (e.g., stratum+tcp://) and unusually high egress to CDN IP ranges not used by the application. |
| DS0030 | Cloud Service Metadata | Alert on sudden spikes in auto-scaling events, burstable CPU credit usage, or Spot/On-Demand instance creation that are not linked to approved deployment pipelines, signalling possible illicit workload provisioning. |
| DS0015 | Application Log | Correlate container-orchestrator or serverless platform logs for functions running significantly longer or more frequently than expected baselines. |