Skip to content

DET0415 Application Exhaustion Flood Detection Across Platforms

Item Value
ID DET0415
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1499.003 (Application Exhaustion Flood)

Analytics

Windows

AN1165

Repeated invocation of high-resource application endpoints or GUI components causing CPU and memory spikes, logged as elevated request volumes, prolonged handle locks, or frequent crash recoveries.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) WinEventLog:Application High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Host Status (DC0018) Windows:perfmon Sudden spikes in CPU/Memory usage linked to specific application processes
Mutable Elements
Field Description
CPUThreshold Define what percentage of CPU usage indicates abnormal behavior.
MemoryConsumptionWindow Window (e.g., 5 mins) during which sustained memory usage may be abnormal.
AppCrashFrequency Threshold for frequency of application faults within a specific interval.

Linux

AN1166

Automated scripts or repeated CLI/API requests that trigger application backends to consume high CPU or memory (e.g., Apache/PHP, MySQL, mail servers), resulting in syslog errors and excessive process spawning.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Application Log Content (DC0038) linux:syslog Error/warning logs from services indicating load spike or worker exhaustion
Network Traffic Content (DC0085) NSM:Flow Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25)
Mutable Elements
Field Description
SyslogErrorRate Defines number of critical errors in logs within time window.
PortRequestSpikeThreshold Spike rate on monitored service port triggering alert.
ProcessSpawnRate Rate of process creation that may overwhelm the system.

macOS

AN1167

Repetitive triggering of GUI or backend application workflows that cause increased CPU/memory usage, logged in unified logs as spin reports or crash dumps.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Application errors or resource contention from excessive frontend or script invocation
Process Creation (DC0032) macos:osquery Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)
Mutable Elements
Field Description
SpinReportCount Threshold for number of system spin/crash reports in a defined window.
HeavyAppReopenRate Frequency of user or script reopening GUI-heavy apps.

IaaS

AN1168

Automated abuse of cloud-hosted applications (e.g., web apps, REST endpoints, internal APIs) causing compute exhaustion, high 5xx error rates, or frequent autoscaling triggers logged in app insights or cloudwatch.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) AWS:CloudWatch Elevated 5xx response rates in application logs or gateway layer
Cloud Service Metadata (DC0070) AWS:CloudTrail InvokeFunction
Host Status (DC0018) AWS:CloudMetrics Autoscaling, memory/cpu alarms, or instance unhealthiness
Mutable Elements
Field Description
HTTP5xxRateThreshold Ratio of 5xx error codes over requests indicating resource exhaustion.
FunctionInvocationRate Spike in lambda/API gateway executions indicating scripted behavior.
AutoscaleEventCount Triggers linked to app DoS where legitimate scaling is mimicked.