# T1496 - Resource Hijacking

## Description from ATT&CK

> Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
> 
> Resource hijacking may take a number of different forms. For example, adversaries may:
> 
> * Leverage compute resources in order to mine cryptocurrency
> * Sell network bandwidth to proxy networks
> * Generate SMS traffic for profit
> * Abuse cloud-based messaging services to send large quantities of spam messages
> 
> In some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)

[Source](https://attack.mitre.org/techniques/T1496)

## Atomic Tests

- [Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes](#atomic-test-1-freebsdmacoslinux---simulate-cpu-load-with-yes)
- [Atomic Test #2: Windows - Simulate CPU Load with PowerShell](#atomic-test-2-windows---simulate-cpu-load-with-powershell)

### Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes

This test simulates a high CPU load as you might observe during cryptojacking attacks.
End the test by using CTRL/CMD+C to break.

**Supported Platforms:** Linux, macOS

**auto_generated_guid:** `904a5a0e-fb02-490d-9f8d-0e256eb37549`

#### Attack Commands: Run with `sh`!

```sh
yes > /dev/null
```

### Atomic Test #2: Windows - Simulate CPU Load with PowerShell

This test simulates high CPU load using PowerShell, commonly seen in resource hijacking.
Spawns background jobs to stress CPU cores for a specified duration.

**Supported Platforms:** Windows

**auto_generated_guid:** `44315fb0-f78d-4cef-b10f-cf21c1fe2c75`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| duration_seconds | Duration in seconds to run the CPU stress test | integer | 30|
| cpu_threads | Number of threads to stress (default 4) | integer | 4|

#### Attack Commands: Run with `powershell`!

```powershell
$end = (Get-Date).AddSeconds(#{duration_seconds})
1..#{cpu_threads} | ForEach-Object { Start-Job { param($t) while((Get-Date) -lt $t) { $i=0; while($i -lt 200000){$i++} } } -ArgumentList $end }
Get-Job | Wait-Job | Remove-Job
```