1. Home
  2. ATT&CK Techniques
  3. T1496.002 Bandwidth Hijacking

T1496.002 Bandwidth Hijacking

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.(Citation: Sysdig Proxyjacking) Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.(Citation: Unit 42 Leaked Environment Variables 2024)

In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.(Citation: Sysdig Proxyjacking)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1496.002 Bandwidth Hijacking

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_network_security_groups Azure Network Security Groups technique_scores T1496.002 Bandwidth Hijacking
Comments
This capability can be configured to limit bandwidth available to connections.
References
  1. https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1496.002 Bandwidth Hijacking
Comments
This capability can detect anomalous network traffic indicative of bandwidth hijacking.
References
  1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
security_command_center Security Command Center technique_scores T1496.002 Bandwidth Hijacking
Comments
SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
  1. ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview'
  2. 'https://github.com/GoogleCloudPlatform/security-analytics']