Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1496: Resource Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Resource hijacking may take a number of different forms. For example, adversaries may:

* Leverage compute resources in order to mine cryptocurrency * Sell network bandwidth to proxy networks * Generate SMS traffic for profit * Abuse cloud-based messaging services to send large quantities of spam messages

In some cases, adversaries may leverage multiple types of Resource Hijacking at once.[1]

EnterpriseT1496TechniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Resource Hijacking matters because an intrusion may not be aimed at stealing data first; it may be aimed at monetizing your compute, bandwidth, SMS, messaging, or cloud-service capacity. The business effect is still material: degraded systems, unexpected cloud or telecom spend, service instability, abuse complaints, and incident response pressure across endpoints, IaaS, containers, SaaS, and messaging services.

Executive priority

Treat this as an operational resilience and cost-control risk, not only a malware issue. Leaders should ask whether cloud, SaaS, messaging, endpoint, and network usage baselines are monitored well enough to spot abnormal resource consumption before it becomes outage, fraud cost, or abuse-report evidence. Priority should go to environments where resource use directly affects customer-facing availability or variable billing, including IaaS, SaaS messaging, SMS, and internet bandwidth.

Technical view

ATT&CK lists this as an Impact technique across Windows, Linux, macOS, IaaS, Containers, and SaaS, with sub-techniques for Compute Hijacking, Bandwidth Hijacking, SMS Pumping, and Cloud Service Hijacking. SOC and IR teams should validate monitoring for abnormal CPU/GPU or process activity, unusual outbound bandwidth, unexpected proxy-like traffic, spikes in SMS or messaging volume, and abnormal SaaS/cloud service use. Because MITRE provides no official detection text for this parent technique, detection engineering should use the related DET0267 Resource Hijacking Detection Strategy and the sub-technique contexts to build environment-specific analytics.

Likely telemetry

  • Endpoint process, command, and resource-utilization telemetry from Windows, Linux, and macOS systems
  • Cloud/IaaS utilization, billing, quota, instance, container, and service activity logs
  • Container runtime and orchestration telemetry where container platforms are in scope
  • Network flow, proxy, DNS, and egress-volume telemetry for bandwidth abuse patterns
  • SaaS audit logs and service usage metrics for messaging, email, notification, or SMS services

Detection direction

  • Baseline normal resource consumption by workload, user, service, region, and time period; alert on sustained or unexplained deviations rather than single noisy spikes.
  • Correlate high CPU, high bandwidth, or messaging spikes with new processes, new containers, unusual service accounts, recent credential use, or unexpected SaaS/API activity.
  • Tune separately for the sub-technique patterns: compute exhaustion/cryptocurrency-mining-like behavior, proxy or bandwidth resale behavior, SMS pumping, and SaaS messaging abuse.
  • Account for false positives from legitimate batch jobs, backups, autoscaling, marketing campaigns, load tests, and incident-driven traffic surges.
  • Close blind spots around unmanaged cloud accounts, limited SaaS audit retention, incomplete egress visibility, container workloads, and cost data that is reviewed only after billing cycles.

Mitigation priorities

  • Establish cost, quota, rate-limit, and anomaly monitoring for cloud, SaaS, SMS, and messaging services that can generate variable spend or abuse traffic.
  • Harden identity and access paths to resource-bearing services, especially service accounts, API keys, SaaS administrators, and cloud roles.
  • Limit unnecessary outbound network access and monitor high-volume egress destinations where business need is not established.
  • Apply workload governance for IaaS and containers, including visibility into new compute creation and sustained abnormal utilization.
  • Prepare IR runbooks for containing resource abuse without disrupting critical services, including suspension of abused credentials, throttling of messaging services, and preservation of usage evidence.
Analyst notes and limits

The supplied ATT&CK object is broad and impact-focused. Its value for defenders is in mapping resource abuse to concrete business assets: compute, network bandwidth, SMS, cloud messaging, and SaaS services. The related sub-techniques provide useful scoping: Compute Hijacking, Bandwidth Hijacking, SMS Pumping, and Cloud Service Hijacking. The supplied external reference notes examples where multiple forms may occur together, but this take does not infer active exploitation or specific actor activity.

MITRE does not provide official detection text for this parent technique in the supplied fields. No mitigations were supplied as ATT&CK relationships. Detection and control recommendations therefore remain conservative and must be validated against local platforms, logging coverage, billing models, SaaS providers, and business-approved high-resource activities.

Official MITRE ATT&CK definition

Resource Hijacking

Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Resource hijacking may take a number of different forms. For example, adversaries may:

* Leverage compute resources in order to mine cryptocurrency * Sell network bandwidth to proxy networks * Generate SMS traffic for profit * Abuse cloud-based messaging services to send large quantities of spam messages

In some cases, adversaries may leverage multiple types of Resource Hijacking at once.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1496.001 Compute Hijacking Sub-technique Compute Hijacking subtechnique of this object.
Enterprise T1496.002 Bandwidth Hijacking Sub-technique Bandwidth Hijacking subtechnique of this object.
Enterprise T1496.004 Cloud Service Hijacking Sub-technique Cloud Service Hijacking subtechnique of this object.
Enterprise T1496.003 SMS Pumping Sub-technique SMS Pumping subtechnique of this object.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1496.001: Compute Hijacking Enterprise subtechnique of · Technique T1496.002: Bandwidth Hijacking Enterprise subtechnique of · Technique T1496.004: Cloud Service Hijacking Enterprise detects · Detection Strategy DET0267: Resource Hijacking Detection Strategy Enterprise subtechnique of · Technique T1496.003: SMS Pumping Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
a5ef477f43c805ae...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle a5ef477f43c8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Sysdig Cryptojacking Proxyjacking 2023

    Miguel Hernandez. (2023, August 17). LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab . Retrieved September 25, 2024.

    Open source URL
  2. [2]
    mitre-attack T1496
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use