T1496 Resource Hijacking

This diagnostic statement protects against Resource Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.

The following Microsoft Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.

This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.

SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

The following GuardDuty finding types flag events where adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. CryptoCurrency:EC2/BitcoinTool.B CryptoCurrency:EC2/BitcoinTool.B!DNS Impact:EC2/BitcoinDomainRequest.Reputation UnauthorizedAccess:EC2/TorRelay

AWS CloudWatch provides various metrics including CPU utilization, connections, disk space, memory, bytes sent/received, and the number of running containers among others. The following metrics (not an exhaustive list) could be used to detect if the usage of a resource has increased such as when an adversary hijacks a resource to perform intensive tasks. Linux/Mac OS ------------- cpu_time_active cpu_time_guest cpu_usage_active cpu_usage_guest disk_free disk_total disk_used ethtool_bw_in_allowance_exceeded ethtool_bw_out_allowance_exceeded ethtool_conntrack_allowance_exceeded mem_active mem_available_percent mem_free net_bytes_recv net_bytes_sent net_packets_sent net_packets_recv netstat_tcp_established netstat_tcp_listen processes_running processes_total swap_free swap_used Containers ---------- CpuUtilized MemoryUtilized NetworkRxBytes NetworkTxBytes node_cpu_usage_total node_cpu_utilization node_filesystem_utilization node_memory_utilization This mapping is given a score of Partial because it is not possible to differentiate between an authorized and unauthorized increase in resource utilization.

The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure alarms exist for spikes in resource utilization, which help to identify malicious use of resources within a cloud environment: "cloudwatch-alarm-action-check", "cloudwatch-alarm-resource-check", "cloudwatch-alarm-settings-check", "desired-instance-tenancy", "desired-instance-type", "dynamodb-autoscaling-enabled", "dynamodb-throughput-limit-check", "ec2-instance-detailed-monitoring-enabled", and "rds-enhanced-monitoring-enabled". Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only detect resource hijacking that results in a change in utilization that is significant enough to trigger alarms, resulting in an overall score of Partial.

The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices' resources to perform resource-intensive operations like mining cryptocurrency or performing denial of service attacks on other environments: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected parties. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may include traffic related to resource hijacking activities. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols which may include traffic related to resource hijacking activities. Coverage factor is partial, since these metrics are limited to IoT device hijacking, resulting in an overall score of Partial.

This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".