Skip to content

DET0208 Endpoint Resource Saturation and Crash Pattern Detection Across Platforms

Item Value
ID DET0208
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1499 (Endpoint Denial of Service)

Analytics

Windows

AN0584

Excessive resource exhaustion or service crash induced by processes launched by users or scripts that rapidly consume CPU/memory or attempt malformed service interactions.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Application Log Content (DC0038) WinEventLog:Application Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)
Host Status (DC0018) WinEventLog:System System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations
Mutable Elements
Field Description
TimeWindow Number of service crashes or high-CPU events within a defined time period
ServiceTarget Specific service name or executable targeted for DoS (e.g., svchost.exe, w3wp.exe)
CPUThresholdPercent CPU usage percent considered anomalous over duration

Linux

AN0585

Malicious script or binary causes repeated kernel panics, OOM kills, or systemd service restarts targeting services like nginx, httpd, sshd.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Host Status (DC0018) linux:syslog Out of memory killer invoked or kernel panic entries
Application Log Content (DC0038) journald:systemd Repeated service restart attempts or unit failures
Mutable Elements
Field Description
ServiceName Targeted daemon/service such as sshd, nginx, mysql
RestartThreshold Number of restarts in short succession to trigger alert
OOMKillCount Count of OOM kills over a time window

macOS

AN0586

Adversary launches high-entropy process or malformed app bundle causing repeated application crashes and system slowdowns.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console
Host Status (DC0018) macos:unifiedlog Spike in CPU or memory use from non-user-initiated processes
Mutable Elements
Field Description
CrashCountThreshold Number of app crashes within monitoring window
PayloadEntropyThreshold Used for high-entropy binaries often observed in DoS malware samples

IaaS

AN0587

Instance enters degraded/unhealthy state due to abnormal process load or memory exhaustion, often caused by automation or script-based attacks.

Log Sources
Data Component Name Channel
Host Status (DC0018) AWS:CloudWatch StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3)
Instance Start (DC0080) AWS:CloudTrail StartInstances
Network Traffic Flow (DC0078) VPCFlowLogs:All High volume internal traffic with low entropy indicating looped or malicious DoS script
Mutable Elements
Field Description
InstanceType Burstable vs compute-optimized instances impact DoS effect
FailureThreshold How many consecutive StatusCheckFailed events to consider critical

Containers

AN0588

Container orchestrator logs show crashlooping pods, repeated resource exhaustion, or malicious binaries with infinite loops consuming systemd/cgroup limits.

Log Sources
Data Component Name Channel
Host Status (DC0018) kubernetes:events CrashLoopBackOff, OOMKilled, container restart count exceeds threshold
Application Log Content (DC0038) docker:events Container exited with non-zero code repeatedly in short period
Mutable Elements
Field Description
RestartCountThreshold Number of container restarts within a time window
ContainerImageEntropy Payload entropy of container image as an anomaly factor