T1498.001 Direct Network Flood Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1498.001 — Direct Network Flood
// Detects known DDoS/flood tool execution on endpoints (botnet participants, insider threat, red team)
let FloodToolNames = dynamic([
    "hping3", "hping", "nping", "trafgen", "t50",
    "loic", "hoic", "mhddos", "ufonet", "goldeneye", "xerxes",
    "udpflood", "synflood", "icmpflood", "pyflood", "rudy",
    "packetsender", "ostinato", "netcat"
]);
let FloodArgPatterns = dynamic([
    "--flood", "-i u0", "--rand-dest", "--rand-source",
    "--syn --flood", "--icmp --flood", "--udp --flood",
    "-c 999999", "--count 9999999", "--faster", "--turbo",
    "--rate 100000"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (FloodToolNames)
      or ProcessCommandLine has_any (FloodToolNames)
      or ProcessCommandLine has_any (FloodArgPatterns)
| extend IsKnownFloodTool = FileName has_any (FloodToolNames)
       or ProcessCommandLine has_any (FloodToolNames)
| extend HasFloodArgs = ProcessCommandLine has_any (FloodArgPatterns)
| extend SuspicionLevel = case(
    IsKnownFloodTool and HasFloodArgs, "Critical",
    IsKnownFloodTool, "High",
    HasFloodArgs, "Medium",
    "Low")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          IsKnownFloodTool, HasFloodArgs, SuspicionLevel
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Load testing tools (Apache Bench, wrk, hey, vegeta, k6) run legitimately by QA engineers or DevOps teams against internal staging environments or authorized external endpoints
Network performance benchmarking tools (iperf, iperf3, netperf, iperf) used by infrastructure teams to validate bandwidth capacity on new circuits or after changes
Security scanners using aggressive timing profiles (nmap -T5, masscan) operated by internal vulnerability management or red team programs with authorized change tickets
Authorized DDoS simulation exercises where security vendors run flood tools against hardened DMZ systems to validate WAF or DDoS protection efficacy
Academic, research, or sandbox environments where flood tools are used for network research, coursework, or tool development without malicious intent

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval image_lower=lower(Image)
| eval cmdline_lower=lower(CommandLine)
| eval FloodToolMatch=if(
    match(image_lower, "(hping|nping|trafgen|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|t50)") OR
    match(cmdline_lower, "(hping|nping|trafgen|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood)"), 1, 0)
| eval FloodArgMatch=if(
    match(cmdline_lower, "(--flood|-i\s+u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|-c\s+[0-9]{6,}|--count\s+[0-9]{6,}|--faster|--turbo|--rate\s+[0-9]{5,})"), 1, 0)
| eval SuspicionScore=FloodToolMatch + FloodArgMatch
| where SuspicionScore > 0
| eval SuspicionLevel=case(
    FloodToolMatch=1 AND FloodArgMatch=1, "Critical",
    FloodToolMatch=1, "High",
    FloodArgMatch=1, "Medium",
    true(), "Low")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, FloodToolMatch, FloodArgMatch, SuspicionScore, SuspicionLevel
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Load testing tools (Apache Bench, wrk, hey, vegeta, k6) run by QA engineers or DevOps against authorized test targets
Network performance benchmarking tools (iperf, iperf3, netperf) used by infrastructure teams to validate bandwidth
Security scanners using aggressive timing (nmap -T5, masscan) run by authorized vulnerability management programs
Authorized penetration testers or red team operators conducting DDoS simulation exercises with documented change tickets
Academic or research environments where flood tools are used for legitimate network research or coursework

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  process.name : ("hping3", "hping", "nping", "trafgen", "t50", "loic", "hoic", "mhddos", "ufonet", "goldeneye", "xerxes", "udpflood", "synflood", "icmpflood", "pyflood", "rudy", "packetsender", "ostinato", "netcat") or
  process.parent.name : ("hping3", "hping", "nping", "trafgen", "t50", "loic", "hoic", "mhddos", "ufonet", "goldeneye", "xerxes", "udpflood", "synflood", "icmpflood", "pyflood") or
  process.command_line : ("*--flood*", "*-i u0*", "*--rand-dest*", "*--rand-source*", "*--syn --flood*", "*--icmp --flood*", "*--udp --flood*", "*-c 999999*", "*--count 9999999*", "*--faster*", "*--turbo*", "*--rate 100000*")
)

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (auditd module) Winlogbeat (Sysmon) Elastic Agent (system integration)

Required Tables

logs-endpoint.events.process-* logs-system.security* winlogbeat-* auditbeat-*

False Positives

Network engineering teams running legitimate performance or stress tests with hping3, nping, or ostinato in authorized lab or staging environments
Authorized red team or penetration testing engagements where flood tools are used against agreed-upon targets within the organization's own infrastructure
Security researchers or SOC analysts running packet-generation tools (packetsender, netcat) for tool validation, POC reproduction, or detection tuning in isolated environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  LOGSOURCENAME(logsourceid) AS LogSourceName,
  sourceip AS SourceIP,
  username AS Username,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine,
  CASE
    WHEN (LOWER("Image") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)'
      OR LOWER("CommandLine") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood)')
    AND LOWER("CommandLine") MATCHES '(--flood|-i\s+u0|--rand-dest|--rand-source|--faster|--turbo|--rate\s+[0-9]{5,}|-c\s+[0-9]{6,}|--count\s+[0-9]{6,})'
    THEN 'Critical'
    WHEN LOWER("Image") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)'
      OR LOWER("CommandLine") MATCHES '(hping3?|nping|trafgen|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|t50)'
    THEN 'High'
    WHEN LOWER("CommandLine") MATCHES '(--flood|-i\s+u0|--rand-dest|--rand-source|--faster|--turbo|--rate\s+[0-9]{5,})'
    THEN 'Medium'
    ELSE 'Low'
  END AS SuspicionLevel
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (12, 396, 433)
  AND (
    LOWER("Image") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)'
    OR LOWER("CommandLine") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood)'
    OR LOWER("CommandLine") MATCHES '(--flood|-i\s+u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|--faster|--turbo|--rate\s+[0-9]{5,}|-c\s+[0-9]{6,}|--count\s+[0-9]{6,})'
  )
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (via WinCollect or syslog forwarding) Microsoft Windows Security Event Log Universal DSM with custom event properties for Image and CommandLine

Required Tables

events

False Positives

IT network teams executing authorized bandwidth or stress tests using hping3, nping, or similar tools against internal infrastructure with change tickets
Penetration testers running scoped flood simulations from approved endpoints as part of a formal engagement with written authorization
SOC analysts reproducing alert conditions or validating detection rules using flood tool binaries in a sandboxed or isolated test host

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*wineventlog*)
| where EventCode=1 OR EventID=1
| parse field=Image "*\*" as process_name nodrop
| where !(isNull(process_name))
| eval process_lower = toLowerCase(process_name)
| eval cmdline_lower = toLowerCase(CommandLine)
| where
  matches(process_lower, "(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato|netcat)")
  OR matches(cmdline_lower, "(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood)")
  OR matches(cmdline_lower, "(--flood|-i u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|--faster|--turbo|--rate [0-9]{5,}|-c [0-9]{6,}|--count [0-9]{6,})")
| eval FloodToolMatch = if(
    matches(process_lower, "(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)")
    OR matches(cmdline_lower, "(hping3?|nping|trafgen|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|t50)"),
    1, 0)
| eval FloodArgMatch = if(
    matches(cmdline_lower, "(--flood|-i u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|--faster|--turbo|--rate [0-9]{5,}|-c [0-9]{6,}|--count [0-9]{6,})"),
    1, 0)
| eval SuspicionScore = FloodToolMatch + FloodArgMatch
| where SuspicionScore > 0
| eval SuspicionLevel = if(FloodToolMatch=1 AND FloodArgMatch=1, "Critical",
    if(FloodToolMatch=1, "High",
    if(FloodArgMatch=1, "Medium", "Low")))
| fields _messageTime, Computer, User, process_name, CommandLine, ParentImage, ParentCommandLine, FloodToolMatch, FloodArgMatch, SuspicionScore, SuspicionLevel
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon for Windows (Event ID 1 — Process Create) Windows Event Log Security (Event ID 4688 with process command line auditing enabled)

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*wineventlog* _sourceCategory=*endpoint*

False Positives

Network operations center staff running diagnostic packet generation (nping, hping3) during authorized outage investigations or latency troubleshooting
Application performance teams using ostinato or packetsender for traffic replay and QA testing in pre-production environments
CTF participants or security training lab participants executing flood tools against intentionally vulnerable targets within isolated training infrastructure

Google Chronicle / SecOps

yaral

rule t1498_001_direct_network_flood {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of known DDoS and network flood tools on endpoints. Matches process name and flood-specific command-line arguments indicative of T1498.001 Direct Network Flood activity."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1498.001"
    mitre_attack_technique_name = "Direct Network Flood"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1498/001/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato|netcat)`) or
      re.regex($e.target.process.file.full_path, `(?i)(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)`) or
      re.regex($e.target.process.command_line, `(?i)(--flood|-i\s+u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|--faster|--turbo|--rate\s+\d{5,}|-c\s+\d{6,}|--count\s+\d{6,})`)
    )

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $is_known_tool = re.regex($e.target.process.file.full_path, `(?i)(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)`)
    $has_flood_args = re.regex($e.target.process.command_line, `(?i)(--flood|-i\s+u0|--rand-dest|--rand-source|--faster|--turbo|--rate\s+\d{5,})`)

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle Forwarder (Windows Sysmon) Chronicle Forwarder (Linux auditd) CrowdStrike Falcon via Chronicle integration Carbon Black via Chronicle integration SentinelOne via Chronicle integration

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Authorized network capacity testing performed by infrastructure teams using hping3 or nping on internal lab segments with documented approval
Red team engagements where flood tools are run from operator workstations against in-scope targets — correlate with engagement calendar to suppress known windows
Developers or security researchers building or testing network simulation tooling who may call flood-adjacent binaries from build pipelines or CI runners

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato|netcat)/
  OR CommandLine = /(?i)(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood)/
  OR CommandLine = /(?i)(--flood|-i\s+u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|--faster|--turbo|--rate\s+\d{5,}|-c\s+\d{6,}|--count\s+\d{6,})/
| FloodToolMatch := if(match(FileName, regex="(?i)(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)")
    OR match(CommandLine, regex="(?i)(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood)"),
    "true", "false")
| FloodArgMatch := if(match(CommandLine, regex="(?i)(--flood|-i\s+u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|--faster|--turbo|--rate\s+\d{5,}|-c\s+\d{6,}|--count\s+\d{6,})"),
    "true", "false")
| SuspicionLevel := case(
    FloodToolMatch="true" AND FloodArgMatch="true", "Critical",
    FloodToolMatch="true", "High",
    FloodArgMatch="true", "Medium",
    "Low")
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, FloodToolMatch, FloodArgMatch, SuspicionLevel])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2 events) Falcon sensor on Windows, Linux, macOS endpoints

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2)

False Positives

Falcon-protected endpoints used by network engineering teams where hping3, nping, or trafgen are installed as standard diagnostic tools and run under authorized change windows
Managed security service provider (MSSP) analyst workstations that have flood tool binaries present for detection validation or client incident reproduction
Development or build machines compiling or running network simulation tools (ostinato, packetsender) as part of automated testing pipelines — exclude by AgentIdList or sensor grouping tag

Direct Network Flood

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections