Skip to content

DET0356 Endpoint DoS via OS Exhaustion Flood Detection Strategy

Item Value
ID DET0356
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1499.001 (OS Exhaustion Flood)

Analytics

Windows

AN1012

Burst of incomplete TCP handshakes (e.g., SYN floods) or uncorrelated ACK packets targeting the state table resulting in OS resource exhaustion.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Host Status (DC0018) WinEventLog:Microsoft-Windows-TCPIP Connection queue overflow or failure to allocate TCP state object
Network Traffic Content (DC0085) NSM:Firewall High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion
Mutable Elements
Field Description
TimeWindow Threshold for burst traffic over short period (e.g., 30s - 2min)
ConnectionRateThreshold SYN/ACK packet rate threshold that triggers investigation
ProcessParentCheck Whether parent process of flooding tool is a known admin shell or unexpected context

Linux

AN1013

Flood of spoofed SYN or ACK packets causing exhaustion of OS TCP state table, potentially via user-space utilities or kernel-level DoS agents.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL Invocation of packet generation tools (e.g., hping3, nping) or fork bombs
Network Traffic Flow (DC0078) NSM:Flow High volumes of SYN/ACK packets with unacknowledged TCP handshakes
Host Status (DC0018) NSM:Flow TCP: possible SYN flood or backlog limit exceeded
Mutable Elements
Field Description
AmplificationThreshold Volume of fake TCP requests before OS begins degradation
Interface Which network interface is being targeted or impacted

macOS

AN1014

Adversary tool/script issuing mass SYN/ACK floods that degrade OS responsiveness and interrupt service response on macOS endpoints.

Log Sources
Data Component Name Channel
Host Status (DC0018) macos:unifiedlog network stack resource exhaustion, tcp_accept queue overflow, repeated resets
Process Creation (DC0032) macos:osquery Execution of flooding tools or compiled packet generators
Network Traffic Content (DC0085) NSM:Firewall Anomalous TCP SYN or ACK spikes from specific source or interface
Mutable Elements
Field Description
SystemLoadThreshold Observed CPU/network degradation level that triggers response
ToolExecutionPath Where DoS tools are commonly dropped or compiled