T1498 IBM QRadar · QRadar

Detect Network Denial of Service in IBM QRadar

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. This includes direct network floods and reflection amplification attacks targeting websites, DNS, email services, and web-based applications. Attackers may use botnets, IP spoofing, and distributed systems to amplify attack volume and obscure the origin. Real-world usage includes APT28 DDoS attacks against WADA, NKAbuse malware with multi-protocol DoS capabilities, and Lucifer malware executing TCP/UDP/HTTP floods.

MITRE ATT&CK

Tactic
Impact
Technique
T1498 Network Denial of Service
Canonical reference
https://attack.mitre.org/techniques/T1498/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN LOWER("Image") LIKE '%hping%' OR LOWER("Image") LIKE '%loic%'
            OR LOWER("Image") LIKE '%hoic%' OR LOWER("Image") LIKE '%slowloris%' THEN 10
       WHEN "CommandLine" ILIKE '%--flood%' OR "CommandLine" ILIKE '%synflood%' THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE eventid = 4688
  AND (LOWER("Image") LIKE '%hping%' OR LOWER("Image") LIKE '%loic%' OR LOWER("Image") LIKE '%hoic%'
       OR LOWER("Image") LIKE '%slowloris%' OR LOWER("Image") LIKE '%goldeneye%'
       OR "CommandLine" ILIKE '%--flood%' OR "CommandLine" ILIKE '%--ddos%'
       OR "CommandLine" ILIKE '%synflood%' OR "CommandLine" ILIKE '%udpflood%'
       OR "CommandLine" ILIKE '%-i 0%' OR "CommandLine" ILIKE '%-c 999999%')
ORDER BY EventTime DESC
high severity medium confidence

Detects DoS tool execution using Windows process creation events (4688) in QRadar with risk scoring.

Data Sources

Windows Security Event LogSysmon Event ID 1

Required Tables

events

False Positives & Tuning

  • Legitimate load testing tools (Apache Bench, siege, wrk, k6) used by QA or DevOps teams against internal or staging systems
  • Network scanners (Nmap, Masscan) run by authorized penetration testers or vulnerability management platforms
  • High-volume legitimate services such as CDN edge nodes, torrent clients, or P2P applications that generate many simultaneous outbound connections
  • Security research environments or honeypot systems configured to generate high connection volumes for traffic analysis
  • Monitoring or synthetic testing agents that make frequent connections to multiple endpoints for uptime checks
Download portable Sigma rule (.yml)

Other platforms for T1498

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1hping3 SYN Flood Simulation (Linux)

    Expected signal: Linux audit log (auditd): execve syscall for hping3 with arguments --syn --flood. Syslog: process creation event for hping3. /proc/<PID>/net/tcp: rapid socket creation and teardown on loopback. If auditd is configured with EXECVE rules, Event type=EXECVE will capture the full command line.

  2. Test 2PowerShell UDP Flood Script (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing UdpClient and 127.0.0.1. Sysmon Event ID 3: 1000 UDP network connection events from powershell.exe to 127.0.0.1:19999. PowerShell ScriptBlock Log Event ID 4104: full script including UdpClient instantiation and send loop.

  3. Test 3LOIC-style HTTP Flood via curl Loop (Linux/macOS)

    Expected signal: Linux audit log: 200 execve syscalls for curl in rapid succession from the same parent shell PID. Syslog: process creation events for curl children. Network: 200 TCP connection attempts to 127.0.0.1:80 in rapid succession. Process table (ps aux) will show many curl processes during execution.

  4. Test 4nping ICMP Flood (Linux)

    Expected signal: Linux audit log: execve for nping with --icmp --rate 500 arguments. If sysmon-for-linux is deployed, Sysmon Event ID 1 will capture the full command line. Network monitoring: 1000 ICMP packets at 500 packets/second burst on loopback. /proc/net/snmp ICMP InMsgs counter increments rapidly during test.

Last updated: 2026-03-15 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1498 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1498.001Direct Network FloodT1498.002Reflection AmplificationT1499Endpoint Denial of ServiceT1496Resource HijackingT1489Service StopT1059.004Unix ShellT1059.001PowerShellT1105Ingress Tool TransferT1543.003Windows ServiceT1053.005Scheduled TaskT1078Valid Accounts

Same Tactic: Impact

Popular Detections