MITRE ATT&CK · TA0040 Impact

T1496 Resource Hijacking

Detection coverage in DCV across AWS, Azure and GCP for Resource Hijacking, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.

01 What is T1496?

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Resource hijacking may take a number of different forms. For example, adversaries may:

* Leverage compute resources in order to mine cryptocurrency * Sell network bandwidth to proxy networks * Generate SMS traffic for profit * Abuse cloud-based messaging services to send large quantities of spam messages

In some cases, adversaries may leverage multiple types of Resource Hijacking at once.

Platforms: Windows, IaaS, Linux, macOS, Containers, SaaS.

02 Coverage in DCV

DCV maps 34 detections across 3 cloud providers to T1496. Coverage by source:

Source Cloud Findings mapped Avg confidence
AWS Config Rules AWS 17 0.60
AWS GuardDuty AWS 8 0.89
GCP Security Command Center GCP 5 0.95
AWS Security Hub AWS 1 0.70
Azure Policy Azure 1 0.80
GCP Chronicle GCP 1 0.95
Microsoft Defender for Cloud Azure 1 0.80
03 Detect with CloudSigma

CloudSigma ships 3 production-ready Sigma rules that detect T1496 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.

Example: AWS Resource Creation Indicating Cryptomining or Resource Hijacking

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:61fa34b40e0ed50b manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma 2026-02-06 
title: AWS Resource Creation Indicating Cryptomining or Resource Hijacking
id: 8d9e0f1a-2b3c-4d4e-5f6a-7b8c9d0e1f2a
status: experimental
description: >
    Detects creation of compute resources such as EC2 instances or Lambda
    functions that may indicate resource hijacking for cryptocurrency
    mining or other unauthorized compute-intensive operations.
author: CloudSigma
date: 2026-02-06
references:
    - https://attack.mitre.org/techniques/T1496/
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/LaunchingAndUsingInstances.html
tags:
    - attack.impact
    - attack.t1496
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_ec2:
        eventSource: ec2.amazonaws.com
        eventName: RunInstances
    selection_lambda:
        eventSource: lambda.amazonaws.com
        eventName: CreateFunction20150331
    filter_known_services:
        userIdentity.type: AWSService
    condition: (selection_ec2 or selection_lambda) and not filter_known_services
falsepositives:
    - Auto-scaling groups launching new EC2 instances in response to increased load
    - CI/CD pipelines deploying new Lambda function versions during release cycles
level: medium
04 Related techniques
← Back to Impact
Sources
  • MITRE ATT&CK, https://attack.mitre.org/techniques/T1496/
  • MITRE Tactic TA0040 Impact, https://attack.mitre.org/tactics/TA0040/
  • MITRE Center for Threat-Informed Defense, Security Stack Mappings (https://center-for-threat-informed-defense.github.io/security-stack-mappings/)
Last verified: 2026-04-24