T1496 Resource Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Resource hijacking may take a number of different forms. For example, adversaries may:

  • Leverage compute resources in order to mine cryptocurrency
  • Sell network bandwidth to proxy networks
  • Generate SMS traffic for profit
  • Abuse cloud-based messaging services to send large quantities of spam messages

In some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-06.07 Development and operational process alignment Mitigates T1496 Resource Hijacking
Comments
This diagnostic statement protects against Resource Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References

    Known Exploited Vulnerabilities Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CVE-2022-29464 WSO2 Multiple Products Unrestrictive Upload of File Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.
    References
    CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2024-23692 is a OS command injection vulnerability within the HTTP File Server (HFS) process for Rejetto. It has been reported to be exploited by threat actors to deploy cryptomining malware, install backdoors, Remote Access Trojans (RATs), and other malware like “GoThief” to exfiltrate sensitive data.
    References
    CVE-2020-8515 Multiple DrayTek Vigor Routers Web Management Page Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.
    References
    CVE-2023-49897 FXC AE1021, AE1021PE OS Command Injection Vulnerability primary_impact T1496 Resource Hijacking
    Comments
    CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
    References
    CVE-2023-47565 QNAP VioStor NVR OS Command Injection Vulnerability primary_impact T1496 Resource Hijacking
    Comments
    CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
    References
    CVE-2023-1389 TP-Link Archer AX-21 Command Injection Vulnerability primary_impact T1496 Resource Hijacking
    Comments
    CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
    References
    CVE-2022-29303 SolarView Compact Command Injection Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2022-29303 is a command injection vulnerability within a PHP component in the product's web server. Reports indicate that the vulnerability have been exploited by operators of Mirai botnet malware.
    References
    CVE-2021-44228 Apache Log4j2 Remote Code Execution Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
    References
    CVE-2021-35394 Realtek Jungle SDK Remote Code Execution Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.
    References
    CVE-2021-22205 GitLab Community and Enterprise Editions Remote Code Execution Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.
    References
    CVE-2018-7600 Drupal Core Remote Code Execution Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.
    References
    CVE-2018-11776 Apache Struts Remote Code Execution Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace. Volexity also reports active scanning and attempts to exploit CVE-2018-11776 in order to deploy cryptocurrency miners.
    References
    CVE-2017-9822 DotNetNuke (DNN) Remote Code Execution Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications
    References
    CVE-2023-38035 Ivanti Sentry Authentication Bypass Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.
    References
    CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability primary_impact T1496 Resource Hijacking
    Comments
    CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.
    References
    CVE-2023-32315 Ignite Realtime Openfire Path Traversal Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2023-32315 is a path traversal bug in Openfire's administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell.
    References
    CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    By exploiting a path traversal vulnerability in Samsung MagicINFO 9 Server, an unauthenticated attacker can write arbitrary files with system privileges. This can be used to deploy malware or to hijack resources for activity such as cryptocurrency mining.
    References
    CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability primary_impact T1496 Resource Hijacking
    Comments
    CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes.
    References
    CVE-2021-26084 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability secondary_impact T1496 Resource Hijacking
    Comments
    CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances
    References

    Azure Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    microsoft_sentinel Microsoft Sentinel technique_scores T1496 Resource Hijacking
    Comments
    The following Microsoft Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
    References
    defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1496 Resource Hijacking
    Comments
    This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
    References

    GCP Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    security_command_center Security Command Center technique_scores T1496 Resource Hijacking
    Comments
    SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
    References

    AWS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    amazon_guardduty Amazon GuardDuty technique_scores T1496 Resource Hijacking
    Comments
    The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. CryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay
    References
    aws_cloudwatch AWS CloudWatch technique_scores T1496 Resource Hijacking
    Comments
    AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks. Linux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used Containers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization.
    References
    aws_config AWS Config technique_scores T1496 Resource Hijacking
    Comments
    The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: "cloudwatch-alarm-action-check", "cloudwatch-alarm-resource-check", "cloudwatch-alarm-settings-check", "desired-instance-tenancy", "desired-instance-type", "dynamodb-autoscaling-enabled", "dynamodb-throughput-limit-check", "ec2-instance-detailed-monitoring-enabled", and "rds-enhanced-monitoring-enabled". Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial.
    References
    aws_iot_device_defender AWS IoT Device Defender technique_scores T1496 Resource Hijacking
    Comments
    The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities. Coverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial.
    References

    M365 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1496 Resource Hijacking
    Comments
    This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".
    References

    ATT&CK Subtechniques

    Technique ID Technique Name Number of Mappings
    T1496.003 SMS Pumping 8
    T1496.002 Bandwidth Hijacking 6
    T1496.004 Cloud Service Hijacking 7
    T1496.001 Compute Hijacking 9