Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0267: Resource Hijacking Detection Strategy

DET0267 is a detection strategy placeholder for Resource Hijacking, mapped to ATT&CK technique T1496. The business issue is not just unauthorized compute u...

EnterpriseDET0267Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0267 is a detection strategy placeholder for Resource Hijacking, mapped to ATT&CK technique T1496. The business issue is not just unauthorized compute use; it is availability, cloud cost, service degradation, and abuse of company infrastructure for profit-driven activity such as cryptocurrency mining, proxy resale, SMS traffic generation, or spam through cloud messaging services. Because the detection object has no official description or detection logic, teams should treat it as a prompt to validate whether they can recognize abnormal resource consumption and abuse patterns across the environments where T1496 applies: Windows, Linux, macOS, and IaaS.

Executive priority

Prioritize this as an operational resilience and cost-control question: can the organization quickly distinguish legitimate workload spikes from unauthorized resource use that may degrade hosted services or create unexpected cloud and infrastructure spend? Leaders should ask whether SOC, cloud operations, and incident response teams have shared visibility into compute, network, messaging, and billing anomalies, and whether evidence from those systems can support incident decisions and audit/compliance reporting.

Technical view

Because the ATT&CK detection strategy itself provides no official detection text, defenders should build validation around the related technique context for Resource Hijacking. SOC and detection engineering teams should confirm monitoring for unusual CPU/GPU/compute utilization, abnormal process behavior, unexpected outbound bandwidth use, suspicious messaging or SMS volume, and IaaS resource creation or scaling that does not match approved workloads. IR teams should be prepared to correlate endpoint, cloud control-plane, network, and billing evidence to determine whether resource use is legitimate, misconfigured, or adversary-driven.

Likely telemetry

  • Endpoint performance and process telemetry from Windows, Linux, and macOS systems where available
  • Cloud/IaaS activity logs for resource creation, scaling, instance changes, and workload identity activity
  • Cloud billing, quota, and usage metrics that show unusual spend or resource consumption
  • Network flow or proxy telemetry showing unexpected high-volume outbound traffic or proxy-like behavior
  • Messaging, SMS, or cloud communication service logs showing abnormal volume or sending patterns

Detection direction

  • Validate that alerting covers abnormal resource consumption, not only malware signatures or known tools.
  • Tune detections against known business workload patterns to reduce false positives from batch jobs, autoscaling, maintenance, analytics, or seasonal traffic.
  • Correlate endpoint resource spikes with cloud control-plane events, network egress, messaging activity, and billing changes to strengthen confidence.
  • Review blind spots where cloud usage, messaging services, or endpoint performance data are owned by teams outside the SOC.
  • Use the related T1496 impact context to prioritize detections that identify availability degradation, unexpected cost growth, or abuse of hosted services.

Mitigation priorities

  • Establish baselines and ownership for normal compute, bandwidth, messaging, and IaaS usage before relying on anomaly detection.
  • Ensure SOC, cloud operations, and incident response teams have access to the telemetry needed to investigate resource abuse across endpoints and IaaS.
  • Apply least-privilege and change-control practices for creating or scaling cloud resources and using cloud messaging services.
  • Set practical quota, budget, and usage alerts to support early response to abnormal consumption.
  • Document response playbooks for isolating affected hosts or cloud resources while preserving evidence needed for investigation and business decisions.
Analyst notes and limits

The source object is a detection strategy with no official description, no official detection text, and no platforms or tactics specified on the object itself. The practical guidance here is therefore derived from its explicit relationship to ATT&CK technique T1496 Resource Hijacking, whose supplied context identifies impact, Windows, IaaS, Linux, and macOS, and examples of resource abuse.

This take does not assert a specific analytic, tool, adversary, active exploitation, or guaranteed detection coverage. Local environment baselines, cloud architecture, service ownership, and available telemetry are required to turn this strategy into reliable detections.

Official MITRE ATT&CK definition

Resource Hijacking Detection Strategy

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1496 Resource Hijacking This object detects Resource Hijacking.
Relationship explorer

All related ATT&CK context

detects · Technique T1496: Resource Hijacking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4ebd742d2bfce949...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4ebd742d2bfc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0267
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use