T1498 Network Denial of Service Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownDosTools = dynamic([
  "hping3", "hping", "nping", "loic", "hoic", "slowloris", "goldeneye",
  "mausezahn", "t50", "trinoo", "tfn", "tfn2k", "stacheldraht", "trin00",
  "udpflood", "synflood", "icmpflood", "rudy", "pyloris", "xerxes",
  "hulk", "thc-ssl-dos", "siege", "ab.exe", "wrk", "vegeta"
]);
let DosToolPatterns = dynamic([
  "--flood", "--faster", "-flood", "--ddos", "-ddos",
  "sendudp", "sendtcp", "synflood", "udpflood", "icmpflood",
  "--interval 0", "-i 0", "--count 999999", "-c 999999",
  "nmap --script dos", "metasploit auxiliary/dos"
]);
let HighVolumeConnThreshold = 500;
let LookbackWindow = 1h;
// Detection 1: Known DoS tool execution
let DosToolExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownDosTools)
    or ProcessCommandLine has_any (DosToolPatterns)
    or ProcessCommandLine has_any (KnownDosTools)
| extend DetectionSource = "KnownDoSTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSource;
// Detection 2: Anomalous outbound connection volume per process
let HighVolumeOutbound = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess" or ActionType == "ConnectionAttempt"
| where RemoteIPType == "Public"
| summarize
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    UniqueRemotePorts = dcount(RemotePort),
    Protocols = make_set(Protocol),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, bin(Timestamp, LookbackWindow)
| where ConnectionCount > HighVolumeConnThreshold
    or UniqueRemoteIPs > 50
| extend DetectionSource = "HighVolumeOutboundConnections"
| project FirstSeen, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
         ConnectionCount, UniqueRemoteIPs, UniqueRemotePorts, Protocols, DetectionSource;
// Detection 3: Rapid repeated connection attempts to single target (SYN flood indicator)
let SynFloodIndicator = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionAttempt"
| where RemoteIPType == "Public"
| summarize
    AttemptCount = count(),
    UniqueLocalPorts = dcount(LocalPort),
    FirstAttempt = min(Timestamp),
    LastAttempt = max(Timestamp)
    by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, bin(Timestamp, 5m)
| where AttemptCount > 200
| extend AttemptsPerSecond = AttemptCount / 300.0
| extend DetectionSource = "RapidConnectionAttempts"
| project FirstAttempt, DeviceName, RemoteIP, RemotePort, AttemptCount,
         AttemptsPerSecond, InitiatingProcessFileName, DetectionSource;
// Union all detection sources
DosToolExec
| union kind=outer (
    HighVolumeOutbound | extend RemoteIP = "", RemotePort = 0
)
| union kind=outer (
    SynFloodIndicator | extend AccountName = "", ProcessCommandLine = InitiatingProcessFileName
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems
Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms
High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections
Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks

Splunk

spl

| multisearch
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | eval detection_type="dos_tool_exec"
    | eval Image=lower(Image), CommandLine=lower(CommandLine)
    | where match(Image, "(hping|loic|hoic|slowloris|goldeneye|mausezahn|t50|trinoo|tfn2k|stacheldraht|udpflood|synflood|hulk|xerxes|siege|wrk)")
       OR match(CommandLine, "(--flood|--ddos|-ddos|synflood|udpflood|icmpflood|sendudp|sendtcp|--interval\s+0|-i\s+0|-c\s+999)")
    | eval host=host, process=Image, cmdline=CommandLine, user=User
    | table _time, host, user, process, cmdline, detection_type
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
         OR DestinationIp="172.18.*" OR DestinationIp="172.31.*"
         OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1")
    | eval detection_type="high_volume_outbound"
    | stats
        count as conn_count,
        dc(DestinationIp) as unique_remote_ips,
        dc(DestinationPort) as unique_remote_ports,
        values(DestinationPort) as ports_seen,
        earliest(_time) as first_seen,
        latest(_time) as last_seen
        by host, Image, span(_time, 1h)
    | where conn_count > 500 OR unique_remote_ips > 50
    | eval cmdline="N/A", user="N/A", process=Image
    | eval summary=conn_count." connections to ".unique_remote_ips." unique IPs over 1h"
    | table first_seen, host, user, process, cmdline, detection_type, conn_count, unique_remote_ips, summary
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    | eval detection_type="rapid_connection_attempts"
    | bin _time span=5m
    | stats
        count as attempt_count,
        dc(SourcePort) as unique_src_ports,
        values(Image) as initiating_process
        by host, DestinationIp, DestinationPort, _time
    | where attempt_count > 200
    | eval rate_per_sec=round(attempt_count/300, 2)
    | eval cmdline="Target: ".DestinationIp.":".DestinationPort, user="N/A"
    | eval process=mvindex(initiating_process, 0)
    | table _time, host, user, process, cmdline, detection_type, attempt_count, rate_per_sec, DestinationIp, DestinationPort
  ]
| eval severity=case(
    detection_type=="dos_tool_exec", "critical",
    detection_type=="high_volume_outbound" AND conn_count > 2000, "high",
    detection_type=="rapid_connection_attempts" AND attempt_count > 500, "high",
    true(), "medium"
  )
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Load testing platforms (k6, JMeter, Locust, Apache Bench) running authorized performance tests against internal or cloud-hosted services
Network scanners and asset discovery tools (Nmap, Masscan, Qualys agent) scheduled by security operations teams
Media streaming servers, CDN origin nodes, or peer-to-peer applications that legitimately maintain large numbers of simultaneous connections
Backup and replication software that initiates many parallel connections to storage targets during backup windows
Security appliances or honeypot systems generating synthetic traffic for research or detection validation purposes

Elastic Security (EQL)

eql

process where event.type == "start" and
  (process.name : ("hping3","hping","loic","hoic","slowloris","goldeneye","mausezahn",
                    "t50","trinoo","tfn2k","stacheldraht","siege","wrk") or
   process.command_line : ("*--flood*","*--ddos*","*-ddos*","*synflood*","*udpflood*",
                            "*--interval 0*","-i 0","*-c 999999*"))

high severity medium confidence

Data Sources

Endpoint Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems
Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms
High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections
Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN LOWER("Image") LIKE '%hping%' OR LOWER("Image") LIKE '%loic%'
            OR LOWER("Image") LIKE '%hoic%' OR LOWER("Image") LIKE '%slowloris%' THEN 10
       WHEN "CommandLine" ILIKE '%--flood%' OR "CommandLine" ILIKE '%synflood%' THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE eventid = 4688
  AND (LOWER("Image") LIKE '%hping%' OR LOWER("Image") LIKE '%loic%' OR LOWER("Image") LIKE '%hoic%'
       OR LOWER("Image") LIKE '%slowloris%' OR LOWER("Image") LIKE '%goldeneye%'
       OR "CommandLine" ILIKE '%--flood%' OR "CommandLine" ILIKE '%--ddos%'
       OR "CommandLine" ILIKE '%synflood%' OR "CommandLine" ILIKE '%udpflood%'
       OR "CommandLine" ILIKE '%-i 0%' OR "CommandLine" ILIKE '%-c 999999%')
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon Event ID 1

Required Tables

events

False Positives

Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems
Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms
High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections
Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| json auto
| where EventID == "1"
| eval ImageLower = toLower(Image)
| eval CmdLower = toLower(CommandLine)
| where matches(ImageLower, "(hping|loic|hoic|slowloris|goldeneye|mausezahn|t50|trinoo|tfn2k|siege|wrk)")
  OR matches(CmdLower, "(--flood|--ddos|-ddos|synflood|udpflood|icmpflood|sendudp|sendtcp|--interval 0|-i 0|-c 999999)")
| eval tool_category = if(matches(ImageLower, "(hping|loic|hoic)"), "known_dos_tool",
    if(matches(CmdLower, "(--flood|synflood|udpflood)"), "flood_flags", "dos_pattern"))
| table _time, Computer, User, Image, CommandLine, ParentImage, tool_category
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic

Required Tables

windows/sysmon

False Positives

Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems
Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms
High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections
Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks

Google Chronicle / SecOps

yaral

rule network_dos_tool_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of known DoS/DDoS tools (T1498)"
    severity = "HIGH"
    tactic = "TA0040"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(hping|loic|hoic|slowloris|goldeneye|mausezahn|t50|trinoo|tfn2k|stacheldraht|siege)`) nocase or
      re.regex($e.target.process.command_line, `(?i)(--flood|--ddos|synflood|udpflood|icmpflood|--interval\s+0|-i\s+0|-c\s+999999)`) nocase
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems
Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms
High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections
Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(hping|loic|hoic|slowloris|goldeneye|mausezahn|trinoo|tfn2k|siege)$/i
  OR CommandLine = /(--flood|--ddos|synflood|udpflood|icmpflood|--interval\s+0|-i\s+0|-c\s+999)/i
| eval tool_category = case {
    ImageFileName = /(hping|loic|hoic)/i : "known_dos_tool";
    CommandLine = /(--flood|synflood|udpflood)/i : "flood_flags";
    * : "dos_pattern"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, tool_category
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems
Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms
High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections
Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks

Network Denial of Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Impact

Popular Detections