Home/ MITRE Matrix/ Impact/ T1496

T1496Resource Hijacking

T1496 — Resource Hijacking is a MITRE ATT&CK technique in the Impact tactic. Clankerusecase tracks 14 detection use cases covering it and 11 threat-intel articles citing it.

Impact

View on the matrix → Filter Detection Library MITRE official spec ↗

14Use cases

11Articles

4Sub-techniques

1Tactic

Sub-techniques (4)

T1496.002 · Bandwidth Hijacking T1496.004 · Cloud Service Hijacking T1496.001 · Compute Hijacking T1496.003 · SMS Pumping

Use cases covering this technique (14)

Excessive resource consumption of third-party API Internal actions · hunting DD [LLM] Talos weekly prevalent malware hash execution (Coinminer/Injector/Dropper.Miner) Bespoke install · alerting DSΣPDDCS [LLM] nebula-mesh CVE-2026-47724 — operator sabotage (disable/enable/key revocation) by non-admin actor Bespoke actions · alerting SΣPDD [LLM] Smart-TV / mobile device acting as residential proxy exit node (high-fan-out HTTPS to unrelated public destinations) Bespoke actions · hunting DSP [LLM] Talos weekly prevalent malware SHA256 IOC sweep (Coinminer / Procpatcher / KMS activator) Bespoke install · alerting DSΣPDDCS [LLM] Container egress to cryptominer pool / Kinsing C2 Bespoke c2 · alerting DSΣPDDCS [LLM] powercfg sleep/hibernate disable burst (4-command sequence) Bespoke install · alerting DSPDDCS [LLM] Talos weekly prevalent-malware hash hit (Coinminer worm / TunMirror / SECOH-QAD / KMS-Loader) Bespoke install · alerting DSPDDCS [LLM] BadIIS traffic-hijacking: IIS 503 surge + anomalous external redirect ratio per site/hour Bespoke actions · hunting SP [LLM] Talos weekly top-prevalent malware hash watch (Coinminer / Injector / W32.Variant) Bespoke install · alerting DSΣPDD [LLM] UAT-8616 post-compromise on SD-WAN: SSH key add, NETCONF edit, su root, XMRig miner.sh Bespoke actions · alerting DSPDDCS [LLM] Qinglong .fullgc cryptominer execution with nohup backgrounding Bespoke install · alerting DSΣPDDCS [LLM] IndonesianFoods auto-publish artifact (auto.js / publishScript.js) dropped in node_modules Bespoke install · alerting DSΣPDDCS [LLM] TEA Protocol (tea.xyz) DNS resolution from developer or build endpoint Bespoke c2 · hunting DSΣPDDCS

Articles citing this technique (11)

high A tale of two eras art-40

crit [GHSA / CRITICAL] CVE-2026-47724: nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation art-96

high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114

high Reporting from Vegas: Networking, AI, and good boys art-126

crit What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant art-180

med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190

high The art of being ungovernable art-228

high The time of much patching is coming art-296

crit Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities art-302

high Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining art-353

high Automated Package-Publication Incident IndonesianFoods in the NPM Ecosystem Linked to Crypto Reward-Farming Scam art-704