Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.(Citation: Unit 42 Leaked Environment Variables 2024)
In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig Proxyjacking)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Hijack | To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) | related-to | T1496.002 | Bandwidth Hijacking |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1496.002 | Bandwidth Hijacking |
Comments
The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources".
The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1496.002 | Bandwidth Hijacking |
Comments
This capability can be configured to limit bandwidth available to connections.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1496.002 | Bandwidth Hijacking |
Comments
This capability can detect anomalous network traffic indicative of bandwidth hijacking.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| security_command_center | Security Command Center | technique_scores | T1496.002 | Bandwidth Hijacking |
Comments
SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|