T1498.001 IBM QRadar · QRadar

Detect Direct Network Flood in IBM QRadar

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. Direct Network Floods use one or more systems to send high-volume network packets toward the targeted service or network. Any network protocol may be used — stateless protocols such as UDP and ICMP are common due to their low overhead, but TCP SYN floods are also prevalent. Botnets are frequently leveraged to amplify attack volume, with compromised endpoints acting as unwitting flood sources. Organizations may detect this technique either as a victim observing inbound traffic spikes, or by identifying compromised endpoints in their environment participating in an outbound DDoS campaign as botnet nodes.

MITRE ATT&CK

Tactic
Impact
Technique
T1498 Network Denial of Service
Sub-technique
T1498.001 Direct Network Flood
Canonical reference
https://attack.mitre.org/techniques/T1498/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  LOGSOURCENAME(logsourceid) AS LogSourceName,
  sourceip AS SourceIP,
  username AS Username,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine,
  CASE
    WHEN (LOWER("Image") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)'
      OR LOWER("CommandLine") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood)')
    AND LOWER("CommandLine") MATCHES '(--flood|-i\s+u0|--rand-dest|--rand-source|--faster|--turbo|--rate\s+[0-9]{5,}|-c\s+[0-9]{6,}|--count\s+[0-9]{6,})'
    THEN 'Critical'
    WHEN LOWER("Image") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)'
      OR LOWER("CommandLine") MATCHES '(hping3?|nping|trafgen|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|t50)'
    THEN 'High'
    WHEN LOWER("CommandLine") MATCHES '(--flood|-i\s+u0|--rand-dest|--rand-source|--faster|--turbo|--rate\s+[0-9]{5,})'
    THEN 'Medium'
    ELSE 'Low'
  END AS SuspicionLevel
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (12, 396, 433)
  AND (
    LOWER("Image") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood|rudy|packetsender|ostinato)'
    OR LOWER("CommandLine") MATCHES '(hping3?|nping|trafgen|t50|loic|hoic|mhddos|ufonet|goldeneye|xerxes|udpflood|synflood|icmpflood|pyflood)'
    OR LOWER("CommandLine") MATCHES '(--flood|-i\s+u0|--rand-dest|--rand-source|--syn.*--flood|--icmp.*--flood|--udp.*--flood|--faster|--turbo|--rate\s+[0-9]{5,}|-c\s+[0-9]{6,}|--count\s+[0-9]{6,})'
  )
LAST 24 HOURS
high severity medium confidence

QRadar AQL detection for known DDoS/flood tool execution on endpoints ingested via Sysmon (EventCode 1 — Process Create) or Windows Security log DSMs. Matches on Image path and CommandLine custom event properties mapped by the Sysmon or Microsoft Windows Security Event Log DSM. Assigns SuspicionLevel (Critical/High/Medium) based on presence of tool name and/or flood arguments. LOGSOURCETYPEID 12 = Microsoft Windows Security Event Log, 396 = Sysmon, 433 = Universal DSM (adjust to match your deployment).

Data Sources

Microsoft Windows Sysmon (via WinCollect or syslog forwarding)Microsoft Windows Security Event LogUniversal DSM with custom event properties for Image and CommandLine

Required Tables

events

False Positives & Tuning

  • IT network teams executing authorized bandwidth or stress tests using hping3, nping, or similar tools against internal infrastructure with change tickets
  • Penetration testers running scoped flood simulations from approved endpoints as part of a formal engagement with written authorization
  • SOC analysts reproducing alert conditions or validating detection rules using flood tool binaries in a sandboxed or isolated test host
Download portable Sigma rule (.yml)

Other platforms for T1498.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1UDP Flood with hping3 to Localhost

    Expected signal: Linux auditd: syscall execve for hping3 with argv containing '--udp', '--flood', '-p 53', '127.0.0.1'. Sysmon for Linux (if deployed): Process execution event with Image=hping3 and full CommandLine. Network metrics: High-volume UDP packet rate on loopback interface visible in netstat -s and /proc/net/udp. The -c 10000 flag limits total packets to prevent resource exhaustion.

  2. Test 2PowerShell UDP Packet Burst to Localhost

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'UdpClient', 'Send', 'Loopback'. Sysmon Event ID 3: High-frequency network connection events to 127.0.0.1:53 — this will generate thousands of Event ID 3 records in the Sysmon log. PowerShell ScriptBlock Log Event ID 4104 with full script content if ScriptBlock logging is enabled.

  3. Test 3ICMP Flood with ping -f to Localhost

    Expected signal: Linux auditd: syscall execve for ping with argv '-f', '-c', '10000', '127.0.0.1'. Process execution in syslog or Sysmon for Linux. Output shows packet statistics: '10000 packets transmitted, 10000 received, 0% packet loss'. Network metrics show ICMP packet rate spike on loopback interface visible via /proc/net/snmp ICMP counters.

  4. Test 4LOIC Flood Tool Binary Staging and Execution Simulation

    Expected signal: Sysmon Event ID 11: File Create event for %TEMP%\loic.exe — triggers the file-staging hunting query on flood tool binary name. Sysmon Event ID 1: Process Create for loic.exe with CommandLine '--method udp --target 127.0.0.1 --port 80 --threads 10'. Security Event ID 4688 (if command-line auditing enabled) with same process details. Sysmon Event ID 7: Image Load events showing DLLs loaded by the loic.exe process.

Last updated: 2026-04-14 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1498.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1498Network Denial of Service

Related Sub-techniques

T1498.002Reflection Amplification

Related Techniques

T1498Network Denial of ServiceT1498.002Reflection AmplificationT1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1583.005BotnetT1584.005BotnetT1489Service StopT1070.001Clear Windows Event Logs

Same Tactic: Impact

Popular Detections