detection.wiki

Endpoint Denial of Service T1499

Tactic: Impact

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

Events covered

11 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 3Network connection
Security-AuditingEvent ID 5152The Windows Filtering Platform blocked a packet.
Security-AuditingEvent ID 5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-AuditingEvent ID 5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Security-AuditingEvent ID 5157The Windows Filtering Platform has blocked a connection.
Security-AuditingEvent ID 5158The Windows Filtering Platform has permitted a bind to a local port.
Security-AuditingEvent ID 5159The Windows Filtering Platform has blocked a bind to a local port.
Application-ErrorEvent ID 1000Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Linux-AuditdEvent ID 1302PATH
Audit-CVEEvent ID 1Possible detection of CVE: PossibleDetectionOfCVE.

Authoring guide

Patterns shared across the 38 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (55 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
DeviceEventClassID6ne 4, eq 2asc, audit, campaigns, hsc
DeviceProduct6eq 6X Series
DeviceVendor6eq 6Vectra Networks
EventType4eq 3, in 1DetectionSummaryEvent, ErrorLog, IntrusionEvent, application.integration.rate_limit_exceeded, core.concurrency.org.limit.violation
Provider_Name4eq 4Application Error, Audit-CVE, Microsoft-Windows-Audit-CVE, Ntfs
sourcetype4eq 3, in 1auditd, cisco:sfw:estreamer, ollama:server, vmw-syslog, vmware:esxlog*
triaged3ne 3True
Category2in 2BOTNET ACTIVITY, COMMAND & CONTROL, EXFILTRATION
Status2eq 2429, Deny
aws::errorCode2is_null 2
aws::eventName2in 2FailoverDBCluster, FailoverGlobalCluster, RebootDBCluster, RebootDBInstance, RebootDBShardGroup
aws::eventSource2eq 2rds.amazonaws.com
data.description2eq 2Dynamic client registration, Guardian - Second factor sms sent
data.type2eq 2gd_send_sms, sapi
data_stream.dataset2eq 1, in 1network_traffic.dns, okta.system, zeek.dns

Top indicator values (108 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
DeviceProducteq
X Series
67
DeviceVendoreq
Vectra Networks
67
DeviceEventClassIDne
asc
44
DeviceEventClassIDne
audit
44
DeviceEventClassIDne
campaigns
44
DeviceEventClassIDne
health
44
DeviceEventClassIDne
hsc
44
triagedne
True
33
Categoryin
BOTNET ACTIVITY
22
Categoryin
COMMAND & CONTROL
22
Categoryin
EXFILTRATION
22
Categoryin
LATERAL MOVEMENT
22
Categoryin
RECONNAISSANCE
22
Provider_Nameeq
Application Error
25
aws::eventSourceeq
rds.amazonaws.com
223
levelin
Critical
22
levelin
High
22
typeeq
PATH
219
AdditionalExtensionscontains
account
1
AppNameeq
lsass.exe
12
Computerin
DC01.simulandlabs.com
1
Computerin
DC02.simulandlabs.com
1
Countgt
5000
13
Datacontains
lsass.exe
1
Datacontains
wldap32.dll
1
Descriptioncontains
contains a corrupted file record
1
Descriptioncontains
the name of the file is "\"
1
DestinationPorteq
53
1
DestinationPortNameeq
dns
15
DeviceEventClassIDeq
asc
1

Exclusions (4 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
AdditionalExtensionscontains
account
1
EventTypein
flow_terminated
1
EventTypein
network_flow
1
event.durationgt
60000000000
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 9 rules

Elastic 5 rules

Splunk 5 rules

Kusto 14 rules

Panther 5 rules