Info
ID: AT-IM005.001
Technique: Resource Hijacking
Tactic: Impact
Platforms: Linux, macOS, Windows, Container Platforms, Web Application
Impact Type: Availability
Version: 1.0
Cryptomining
Cryptomining, as a sub-technique of Resource Hijacking within the Impact tactic, involves adversaries leveraging compromised application resources to mine cryptocurrency without authorization. This exploitation typically occurs when attackers inject malicious code into web applications, serverless functions, containers, or other computational resources, diverting CPU, GPU, and memory capacity from legitimate processes to perform complex mathematical calculations required for cryptocurrency mining. The impact extends beyond performance degradation, causing increased energy consumption, accelerated hardware deterioration, and potential service disruptions. Unlike other resource hijacking methods that might focus on bandwidth or storage, cryptomining specifically monetizes computational power, making it particularly attractive for long-term persistence scenarios where attackers can generate consistent financial returns while maintaining relatively low visibility compared to more disruptive attacks. Organizations may observe symptoms including unexplained CPU spikes, thermal issues, reduced application responsiveness, and anomalous network connections to mining pools.
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0009 | Process: Process Metadata | Detect long-running processes consuming high CPU/GPU not in baseline profiled activity. Correlate with executable hash reputations for mining software (e.g., XMRig) and arguments associated with of miners. |
| DS0029 | Network Traffic Flow | Alert on persistent outbound TCP traffic to ports 3333, 4444, or Stratum protocol identifiers (mining.subscribe, mining.notify). |
| DS0030 | Cloud Service Metadata | Surface unexpected auto-scaling events or burstable CPU credit drain triggered by workloads labelled as "batch" but running incessantly. |
| DS0015 | Application Log | Monitor container/orchestrator logs for image digests pulling public "miner" repositories. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Deploy runtime agents that throttle or limit processes exceeding resource thresholds or matching miner signatures. |
| M1030 | Network Segmentation | Deny egress to known mining-pool domains/IPs at firewall/proxy layers. Enforce egress allow-lists. |
| M1026 | Privileged Account Management | Require just-in-time elevation for instance/cluster scaling operations to prevent covert resource provisioning. |
| M1045 | Code Signing | Only run signed container images and binaries from trusted registries to block "drop-in" miner images. |