Last reviewed:
T1496 is the unauthorised use of cloud compute for the attacker's own workloads: cryptomining, illicit relay infrastructure, abuse of egress bandwidth. DCV's detection set is dominated by signature-based controls: GuardDuty's CryptoCurrency:EC2/BitcoinTool family, BitcoinDomainRequest, and GCP SCC's CRYPTOMINING and CRYPTO_MINER_POOL_DOMAIN_CONTACTED. The remediation template adds egress filtering for known crypto pools. T1496 is one of few attack patterns where billing alerts and detection reinforce each other.
Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
Resource hijacking may take a number of different forms. For example, adversaries may:
* Leverage compute resources in order to mine cryptocurrency * Sell network bandwidth to proxy networks * Generate SMS traffic for profit * Abuse cloud-based messaging services to send large quantities of spam messages
In some cases, adversaries may leverage multiple types of Resource Hijacking at once.
Platforms: Windows, IaaS, Linux, macOS, Containers, SaaS.
DCV maps 34 detections across 3 cloud providers to T1496. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 17 | 0.60 |
| AWS GuardDuty | AWS | 8 | 0.89 |
| GCP Security Command Center | GCP | 5 | 0.95 |
| AWS Security Hub | AWS | 1 | 0.70 |
| Azure Policy | Azure | 1 | 0.80 |
| GCP Chronicle | GCP | 1 | 0.95 |
| Microsoft Defender for Cloud | Azure | 1 | 0.80 |
CloudSigma has coverage metadata for 34 T1496 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1496, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1496 is the unauthorised use of cloud compute for the attacker's own workloads: cryptomining, illicit relay infrastructure, abuse of egress bandwidth. DCV's detection set is dominated by signature-based controls: GuardDuty's CryptoCurrency:EC2/BitcoinTool family, BitcoinDomainRequest, and GCP SCC's CRYPTOMINING and CRYPTO_MINER_POOL_DOMAIN_CONTACTED. The remediation template adds egress filtering for known crypto pools. T1496 is one of few attack patterns where billing alerts and detection reinforce each other.
DCV maps 34 cloud-native detections to T1496 across 3 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Security Hub, Azure Policy, GCP Chronicle, GCP Security Command Center and Microsoft Defender for Cloud.
T1496 is part of MITRE ATT&CK TA0040 Impact: How adversaries disrupt or destroy systems and data.
CloudSigma ships 3 validated Sigma rules for T1496 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.