Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1496.002: Bandwidth Hijacking

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.[1] Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.[2] Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.[3]

In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.[2]

EnterpriseT1496.002Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Bandwidth Hijacking matters because a compromised endpoint, container, or cloud workload can become a cost and availability problem even when data theft is not the visible outcome. ATT&CK describes adversaries using victim bandwidth for botnet activity, proxyjacking, malicious torrent seeding, or internet-wide scanning. For leaders, the practical issue is whether the organization can quickly distinguish legitimate high-volume network use from unauthorized consumption that may disrupt services, increase cloud or network costs, or create reputational exposure if the organization’s IP space is abused.

Executive priority

Treat this as an operational resilience and accountability risk under the broader Resource Hijacking impact technique. Security leaders should ask whether SOC, cloud, and infrastructure teams have usable evidence for unusual outbound bandwidth, unexpected proxy-like behavior, container or IaaS egress spikes, and scanning-like traffic. The business decision value is strongest where bandwidth costs, hosted service availability, customer-facing uptime, or reputation tied to corporate IP addresses are material.

Technical view

This sub-technique applies to Linux, Windows, macOS, IaaS, and Containers and sits under the Impact tactic. ATT&CK does not provide official detection text, but the supplied relationship identifies DET0028: Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes. SOC and detection engineering teams should validate whether they can baseline normal egress volume and destination patterns per host, workload, container, account, and service, then investigate sustained or unusual bandwidth use that does not align with business function. IR teams should be prepared to correlate network spikes with process, workload, image, account, and recent exposure context where available.

Likely telemetry

  • Network flow records and egress volume by source system, workload, container, or cloud resource
  • Firewall, proxy, NAT, and gateway logs showing outbound destinations, ports, and transfer volume
  • Cloud IaaS network metrics, billing or usage indicators, and workload inventory context
  • Container runtime, image, and orchestration metadata tied to high-bandwidth workloads
  • Endpoint process and network connection telemetry on Linux, Windows, and macOS

Detection direction

  • Validate DET0028-style coverage for excessive or unauthorized bandwidth usage rather than relying only on malware signatures.
  • Build baselines by asset role; developer systems, update servers, backup systems, CI/CD runners, cloud workloads, and content-heavy services may legitimately generate high traffic.
  • Tune for sustained outbound volume, unusual destination diversity, unexpected geographic or network destinations, proxy-like relay behavior, torrent-like activity, and internet-wide scanning patterns where telemetry supports it.
  • Correlate network anomalies with asset ownership, recent workload creation, container image changes, exposed services, and identity or environment-variable exposure context when available.
  • Watch for blind spots in cloud egress visibility, container-to-internet traffic, unmanaged endpoints, and NAT aggregation that can hide the true source of bandwidth abuse.

Mitigation priorities

  • Prioritize visibility first: ensure network, cloud, container, and endpoint teams can attribute egress volume to a responsible system or workload.
  • Apply least-privilege egress controls where operationally feasible, especially for cloud workloads and containers that do not require broad internet access.
  • Use workload and asset baselines to define investigation thresholds for unusual bandwidth consumption and scanning-like behavior.
  • Include bandwidth abuse scenarios in incident response playbooks so teams can contain affected hosts or workloads without disrupting legitimate high-volume services.
  • Review cloud and network cost monitoring as supporting evidence for impact, escalation, and post-incident reporting.
Analyst notes and limits

The object is a new ATT&CK v19.1 sub-technique, T1496.002, under Resource Hijacking. The official description supports botnet, proxyjacking, malicious torrent seeding, and scanning use cases, with potential financial, availability, and reputational consequences. The most important defensive question is not whether bandwidth can be measured in aggregate, but whether abnormal use can be attributed quickly to the responsible endpoint, container, or IaaS workload.

ATT&CK provides no official detection text for this object in the supplied fields. Detection guidance here is derived from the object description, supported platforms, Impact tactic, and the supplied DET0028 relationship. Local baselines, architecture, logging coverage, and business-approved high-bandwidth use are required to determine what is suspicious.

Official MITRE ATT&CK definition

Bandwidth Hijacking

Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.[1] Alternatively, they may engage in proxyjacking by selling use of the victims' network bandwidth and IP address to proxyware services.[2] Finally, they may engage in internet-wide scanning in order to identify additional targets for compromise.[3]

In addition to incurring potential financial costs or availability disruptions, this technique may cause reputational damage if a victim’s bandwidth is used for illegal activities.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1496 Resource Hijacking This object subtechnique of Resource Hijacking.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1496: Resource Hijacking Enterprise detects · Detection Strategy DET0028: Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
578486d57b3daf3f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 578486d57b3d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    GoBotKR

    Zuzana Hromcová. (2019, July 8). Malicious campaign targets South Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.

    Open source URL
  2. [2]
    Sysdig Proxyjacking

    Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.

    Open source URL
  3. [3]
    Unit 42 Leaked Environment Variables 2024

    Margaret Kelley, Sean Johnstone, William Gamazo, and Nathaniel Quist. (2024, August 15). Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments. Retrieved September 25, 2024.

    Open source URL
  4. [4]
    mitre-attack T1496.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use