Skip to content

DET0304 Detection Strategy for Endpoint DoS via Application or System Exploitation

Item Value
ID DET0304
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1499.004 (Application or System Exploitation)

Analytics

Windows

AN0850

Exploitation of system or application vulnerability (e.g., CVE-based exploit) followed by service crash, restart, or repeated failure within a short time frame, impacting application/system availability.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) WinEventLog:Application EventCode=1000
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Service Creation (DC0060) WinEventLog:System EventCode=7031, 7034
Mutable Elements
Field Description
TimeWindow Time window between repeated service crashes or restarts (e.g., 5 crashes within 1 hour)
TargetApplication Critical applications to monitor based on environment (e.g., web server, database, VPN)

Linux

AN0851

User or remote input triggers application crash or segmentation fault (e.g., SIGSEGV) with service recovery attempts, observed via audit logs and systemd journaling.

Log Sources
Data Component Name Channel
Process Termination (DC0033) auditd:SYSCALL Process segfault or abnormal termination after invoking vulnerable syscall sequence
Application Log Content (DC0038) journald:Application Segfault or crash log entry associated with specific application binary
Network Traffic Content (DC0085) NSM:Flow Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)
Mutable Elements
Field Description
CrashPattern Specific binary fault signature or stack trace identifiers unique to the application context
ExploitSourceIP Suspect source IPs for correlation across requests and service failure timing

macOS

AN0852

Application crash or repeated restart cycle triggered by malformed input or exploit file, observed via unified logs and process crash monitoring.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Crash log entries for a process receiving malformed input or known exploit patterns
Process Creation (DC0032) macos:unifiedlog Unusual child process tree indicating attempted recovery after crash
Mutable Elements
Field Description
CrashSignature Binary crash hash or affected dylib for distinguishing malicious faults from benign ones
InputVector File, IPC, or network-based input that may be triggering exploitation (e.g., PDF file, POST request)

IaaS

AN0853

Cloud workload exploitation leads to repeated container, service, or VM termination/restart, typically associated with CVE-based crash triggers or fuzzed payloads.

Log Sources
Data Component Name Channel
Instance Stop (DC0089) AWS:CloudTrail TerminateInstances
Application Log Content (DC0038) AWS:CloudWatch Repeated crash pattern within container or instance logs
Network Traffic Content (DC0085) AWS:VPCFlowLogs Large volume of malformed or synthetic payloads to application endpoints prior to failure
Mutable Elements
Field Description
CrashThreshold Number of repeated crashes or terminations observed before triggering alert
ServiceID Cloud service name, workload, or container ID to scope alerting