T1499.004 Application or System Exploitation
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. 1 Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.
Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as Data Destruction, Firmware Corruption, Service Stop etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.
Item | Value |
---|---|
ID | T1499.004 |
Sub-techniques | T1499.001, T1499.002, T1499.003, T1499.004 |
Tactics | TA0040 |
Platforms | Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS |
Version | 1.2 |
Created | 20 February 2020 |
Last Modified | 25 March 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0604 | Industroyer | Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.3 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1037 | Filter Network Traffic | Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.2 Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0015 | Application Log | Application Log Content |
DS0029 | Network Traffic | Network Traffic Content |
DS0013 | Sensor Health | Host Status |
References
-
Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019. ↩
-
Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019. ↩
-
Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. ↩