detection.wiki

Network Denial of Service T1498

Tactic: Impact

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

Events covered

2 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Authoring guide

Patterns shared across the 46 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (61 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
DeviceEventClassID7contains 4, eq 2, in 1RPZ, 733100, 733101, 733102, 733103
HttpStatusCode5ge 5, le 5500, 599, 100, 399
MultipleServerErrors5gt 5100, 10
count_5gt 5200, 1
facility5eq 5PM, DHCP_SNOOPING, MIRROR, PORT_SECURITY, SISF
mnemonic5eq 4, in 1ERR_DISABLE, CFGLOG_LOGGEDCMD, DHCP_SNOOPING_UNTRUSTED_PORT, ETH_SPAN_SESSION_UP, IP_THEFT
Description4contains 3, eq 1Infoblox, Infoblox - HOST - Policy, Infoblox - URL, MalwareC2, attempted-dos
Active3eq 3true
Category3eq 2, contains 1DDoSMitigationFlowLogs, attempted denial of service, denial of service, detection of a denial of service attack
DomainName3is_not_null 3
HitTime3ge 3, lt 3ExpirationDateTime, TimeGenerated
ThreatLevel_Score3ge 380
CommunicationDirection2is_null 2
DestinationDnsDomain2is_not_null 2
EventType2in 2ProcessRollup2, application.integration.rate_limit_exceeded, core.concurrency.org.limit.violation, exec, exec_event

Top indicator values (115 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
HttpStatusCodege
500
55
HttpStatusCodele
599
55
DeviceEventClassIDcontains
RPZ
44
MultipleServerErrorsgt
100
44
Activeeq
true
368
HitTimege
TimeGenerated
33
HitTimelt
ExpirationDateTime
33
ThreatLevel_Scorege
80
33
count_gt
200
35
count_gt
1
28
Categoryeq
DDoSMitigationFlowLogs
22
ResourceTypeeq
PUBLICIPADDRESSES
22
SyslogMessagecontains
vcf drop
22
facilityeq
PM
22
mnemoniceq
ERR_DISABLE
22
"DNS.message_type"eq
QUERY
1
"DNS.record_type"eq
ANY
1
Actionin
Deny
15
Actionin
alert
15
Categorycontains
attempted denial of service
1
Categorycontains
denial of service
1
Categorycontains
detection of a denial of service attack
1
CommandLinecontains
-single
1
CommandLinecontains
do start wordpad.exe /p
1
CommandLinecontains
del c:\windows\system32\taskmgr.exe
1
CommandLinematch
;Set-Service -StartupType Disabled $
1
CommandLinematch
powershell -command "$x...
1
ControlName_seq
AzureSecureScoreAdminMFAV2
1
DataObservedViane
CDC
1
Descriptioncontains
Infoblox
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 3 rules

Elastic 5 rules

Splunk 7 rules

Kusto 29 rules

YARA-L 1 rule

Panther 1 rule