T1498 Splunk · SPL

Detect Network Denial of Service in Splunk

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. This includes direct network floods and reflection amplification attacks targeting websites, DNS, email services, and web-based applications. Attackers may use botnets, IP spoofing, and distributed systems to amplify attack volume and obscure the origin. Real-world usage includes APT28 DDoS attacks against WADA, NKAbuse malware with multi-protocol DoS capabilities, and Lucifer malware executing TCP/UDP/HTTP floods.

MITRE ATT&CK

Tactic
Impact
Technique
T1498 Network Denial of Service
Canonical reference
https://attack.mitre.org/techniques/T1498/

SPL Detection Query

Splunk (SPL)
spl 
| multisearch
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | eval detection_type="dos_tool_exec"
    | eval Image=lower(Image), CommandLine=lower(CommandLine)
    | where match(Image, "(hping|loic|hoic|slowloris|goldeneye|mausezahn|t50|trinoo|tfn2k|stacheldraht|udpflood|synflood|hulk|xerxes|siege|wrk)")
       OR match(CommandLine, "(--flood|--ddos|-ddos|synflood|udpflood|icmpflood|sendudp|sendtcp|--interval\s+0|-i\s+0|-c\s+999)")
    | eval host=host, process=Image, cmdline=CommandLine, user=User
    | table _time, host, user, process, cmdline, detection_type
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
         OR DestinationIp="172.18.*" OR DestinationIp="172.31.*"
         OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1")
    | eval detection_type="high_volume_outbound"
    | stats
        count as conn_count,
        dc(DestinationIp) as unique_remote_ips,
        dc(DestinationPort) as unique_remote_ports,
        values(DestinationPort) as ports_seen,
        earliest(_time) as first_seen,
        latest(_time) as last_seen
        by host, Image, span(_time, 1h)
    | where conn_count > 500 OR unique_remote_ips > 50
    | eval cmdline="N/A", user="N/A", process=Image
    | eval summary=conn_count." connections to ".unique_remote_ips." unique IPs over 1h"
    | table first_seen, host, user, process, cmdline, detection_type, conn_count, unique_remote_ips, summary
  ]
  [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    | eval detection_type="rapid_connection_attempts"
    | bin _time span=5m
    | stats
        count as attempt_count,
        dc(SourcePort) as unique_src_ports,
        values(Image) as initiating_process
        by host, DestinationIp, DestinationPort, _time
    | where attempt_count > 200
    | eval rate_per_sec=round(attempt_count/300, 2)
    | eval cmdline="Target: ".DestinationIp.":".DestinationPort, user="N/A"
    | eval process=mvindex(initiating_process, 0)
    | table _time, host, user, process, cmdline, detection_type, attempt_count, rate_per_sec, DestinationIp, DestinationPort
  ]
| eval severity=case(
    detection_type=="dos_tool_exec", "critical",
    detection_type=="high_volume_outbound" AND conn_count > 2000, "high",
    detection_type=="rapid_connection_attempts" AND attempt_count > 500, "high",
    true(), "medium"
  )
| sort - _time
high severity medium confidence

Detects Network Denial of Service activity using Sysmon logs via three detection branches combined with multisearch: (1) Sysmon Event ID 1 (Process Create) matching known DoS tool names and command-line flood flags, (2) Sysmon Event ID 3 (Network Connection) with high outbound connection counts to public IPs within a 1-hour window, and (3) rapid repeated connections to a single target within a 5-minute window indicating SYN/UDP flood patterns. Results are severity-scored based on detection type and volume. All three branches use authentic Sysmon sourcetypes and real SPL aggregation commands.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationSysmon Event ID 1Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Load testing platforms (k6, JMeter, Locust, Apache Bench) running authorized performance tests against internal or cloud-hosted services
  • Network scanners and asset discovery tools (Nmap, Masscan, Qualys agent) scheduled by security operations teams
  • Media streaming servers, CDN origin nodes, or peer-to-peer applications that legitimately maintain large numbers of simultaneous connections
  • Backup and replication software that initiates many parallel connections to storage targets during backup windows
  • Security appliances or honeypot systems generating synthetic traffic for research or detection validation purposes
Download portable Sigma rule (.yml)

Other platforms for T1498

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1hping3 SYN Flood Simulation (Linux)

    Expected signal: Linux audit log (auditd): execve syscall for hping3 with arguments --syn --flood. Syslog: process creation event for hping3. /proc/<PID>/net/tcp: rapid socket creation and teardown on loopback. If auditd is configured with EXECVE rules, Event type=EXECVE will capture the full command line.

  2. Test 2PowerShell UDP Flood Script (Windows)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing UdpClient and 127.0.0.1. Sysmon Event ID 3: 1000 UDP network connection events from powershell.exe to 127.0.0.1:19999. PowerShell ScriptBlock Log Event ID 4104: full script including UdpClient instantiation and send loop.

  3. Test 3LOIC-style HTTP Flood via curl Loop (Linux/macOS)

    Expected signal: Linux audit log: 200 execve syscalls for curl in rapid succession from the same parent shell PID. Syslog: process creation events for curl children. Network: 200 TCP connection attempts to 127.0.0.1:80 in rapid succession. Process table (ps aux) will show many curl processes during execution.

  4. Test 4nping ICMP Flood (Linux)

    Expected signal: Linux audit log: execve for nping with --icmp --rate 500 arguments. If sysmon-for-linux is deployed, Sysmon Event ID 1 will capture the full command line. Network monitoring: 1000 ICMP packets at 500 packets/second burst on loopback. /proc/net/snmp ICMP InMsgs counter increments rapidly during test.

Last updated: 2026-03-15 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1498 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1498.001Direct Network FloodT1498.002Reflection AmplificationT1499Endpoint Denial of ServiceT1496Resource HijackingT1489Service StopT1059.004Unix ShellT1059.001PowerShellT1105Ingress Tool TransferT1543.003Windows ServiceT1053.005Scheduled TaskT1078Valid Accounts

Same Tactic: Impact

Popular Detections