Skip to content

DET0518 Behavioral Detection of T1498 – Network Denial of Service Across Platforms

Item Value
ID DET0518
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1498 (Network Denial of Service)

Analytics

Windows

AN1434

Executable or script generating large outbound network traffic targeting remote hosts or known amplification ports

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
ThresholdEventVolume Number of connections per second that should trigger anomaly logic
DestinationDiversity Count of unique destination IPs or ports

Linux

AN1435

Flooding tools like hping3 or nping sending large volumes of packets across multiple ports or IPs

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL Execution of network stress tools or anomalies in socket/syscall behavior
Network Traffic Flow (DC0078) NSM:Flow High volume flows with incomplete TCP sessions or single-packet bursts
Mutable Elements
Field Description
PacketRateThreshold Packets per second beyond normal behavior