Which SIEM platforms have a T1499 detection rule?

df00tech provides T1499 (Endpoint Denial of Service) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1499 detection?

The T1499 detection is rated high severity with medium confidence.

What are common false positives for T1499?

Common false positives for T1499 include: Performance testing teams running Apache Bench (ab), wrk, or siege against internal load balancers or staging environments during authorized load tests; Site reliability engineers running stress-ng or stress on Linux servers to validate autoscaling or hardware under controlled conditions; Security teams using hping3 for legitimate network diagnostic or firewall rule testing in authorized environments.

T1499

Endpoint Denial of Service

Q: What data sources are required to detect Endpoint Denial of Service (T1499)?

Detecting Endpoint Denial of Service requires the following data sources: Process: Process Creation, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint.

Impact Last updated: April 19, 2026

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting system resources (CPU, memory, disk, network connections) or exploiting the system to cause a persistent crash condition. Unlike network-saturating DDoS, Endpoint DoS targets the application stack layers hosted on the victim system — including OS, web servers, DNS, databases, and web applications. Attackers may use IP spoofing, botnets, or direct tools such as hping3, stress-ng, Apache Bench, and custom scripts to generate floods. Observed threat actors include Sandworm Team (disrupting Georgian government websites) and ZxShell malware (SYN flood capability). This detection covers the execution of known DoS tools, abnormal network connection volume from single processes, and resource exhaustion indicators.

What is T1499 Endpoint Denial of Service?

Endpoint Denial of Service (T1499) maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data in MITRE ATT&CK.

This page provides production-ready detection logic for Endpoint Denial of Service, covering the data sources and telemetry it touches: Process: Process Creation, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Impact
Technique: T1499 Endpoint Denial of Service
Canonical reference: https://attack.mitre.org/techniques/T1499/

Microsoft Sentinel / Defender

kusto

let KnownDoSTools = dynamic([
  "hping3", "hping", "stress-ng", "stress", "memtester",
  "ab.exe", "ab", "siege", "wrk", "wrk2", "slowloris",
  "loic", "hoic", "goldeneye", "hulk", "pyloris",
  "torsocks", "rudy", "xerxes", "torshammer",
  "mz", "ncrack", "thc-ssl-dos"
]);
let DoSCommandPatterns = dynamic([
  "--flood", "--syn", "-S --flood", "--icmp --flood",
  "stress --cpu", "stress --vm", "stress --io", "stress-ng --cpu",
  "stress-ng --vm", "stress-ng --sock", "--workers",
  ":(){ :|:", "fork bomb",
  "-c 10000", "-n 100000", "--concurrency 5000"
]);
let HighConnectionThreshold = 500;
// Detection 1: Known DoS tool execution
let DoSToolExecution =
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName has_any (KnownDoSTools)
   or ProcessCommandLine has_any (DoSCommandPatterns)
| extend DetectionType = "KnownDoSTool"
| extend RiskIndicator = strcat(FileName, " | ", ProcessCommandLine);
// Detection 2: Abnormal outbound connection volume from a single process (potential flood)
let NetworkFlood =
DeviceNetworkEvents
| where Timestamp > ago(10m)
| where ActionType in ("ConnectionSuccess", "ConnectionRequest", "ConnectionFailed")
| summarize
    ConnectionCount = count(),
    UniqueDestIPs = dcount(RemoteIP),
    UniqueDestPorts = dcount(RemotePort),
    Protocols = make_set(Protocol),
    EarliestConn = min(Timestamp),
    LatestConn = max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| where ConnectionCount > HighConnectionThreshold
| extend DetectionType = "NetworkFlood"
| extend RiskIndicator = strcat("ConnectionCount=", ConnectionCount, " UniqueIPs=", UniqueDestIPs);
// Detection 3: Rapid fork / process spawning (potential fork bomb or process exhaustion)
let ProcessExhaustion =
DeviceProcessEvents
| where Timestamp > ago(5m)
| summarize
    ProcessCount = count(),
    UniqueExecutables = dcount(FileName),
    ParentProcesses = make_set(InitiatingProcessFileName, 5)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName
| where ProcessCount > 200 and UniqueExecutables < 3
| extend DetectionType = "ProcessSpawnExhaustion"
| extend RiskIndicator = strcat("ProcessCount=", ProcessCount, " UniqueExe=", UniqueExecutables);
// Union all detections
DoSToolExecution
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          DetectionType, FileName, ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, RiskIndicator
| union (
    NetworkFlood
    | project
        Timestamp=EarliestConn, DeviceName,
        AccountName=InitiatingProcessAccountName,
        DetectionType,
        FileName=InitiatingProcessFileName,
        ProcessCommandLine=InitiatingProcessCommandLine,
        InitiatingProcessFileName="",
        InitiatingProcessCommandLine="",
        RiskIndicator
)
| union (
    ProcessExhaustion
    | project
        Timestamp=now(), DeviceName,
        AccountName=InitiatingProcessAccountName,
        DetectionType,
        FileName=InitiatingProcessFileName,
        ProcessCommandLine="",
        InitiatingProcessFileName="",
        InitiatingProcessCommandLine="",
        RiskIndicator
)
| sort by Timestamp desc

Multi-signal detection for Endpoint Denial of Service covering three distinct patterns: (1) Execution of known DoS tools such as hping3, stress-ng, ab, siege, LOIC, and GoldenEye by filename or command-line patterns including --flood, --syn, and high concurrency flags; (2) A single process generating more than 500 outbound network connections within a 10-minute window, indicating application-layer flood behavior; (3) Rapid process spawning where a single parent process creates more than 200 child processes within 5 minutes using fewer than 3 unique executables, indicative of fork bomb or process exhaustion attacks. Results are unioned into a single timeline with a DetectionType field for triage prioritization.

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Performance testing teams running Apache Bench (ab), wrk, or siege against internal load balancers or staging environments during authorized load tests
Site reliability engineers running stress-ng or stress on Linux servers to validate autoscaling or hardware under controlled conditions
Security teams using hping3 for legitimate network diagnostic or firewall rule testing in authorized environments
High-throughput legitimate services (CDN proxies, load balancers, streaming servers) that maintain large persistent connection pools
Deployment automation or CI/CD pipeline jobs that spawn many short-lived processes in rapid succession during build or test phases

Splunk

spl

| union
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    Image="*\\hping3.exe" OR Image="*\\hping.exe" OR Image="*\\stress-ng.exe"
    OR Image="*\\ab.exe" OR Image="*\\siege.exe" OR Image="*\\wrk.exe"
    OR Image="*\\loic.exe" OR Image="*\\hoic.exe" OR Image="*\\goldeneye.py"
    OR CommandLine="*--flood*" OR CommandLine="*--syn*"
    OR CommandLine="*stress --cpu*" OR CommandLine="*stress-ng --cpu*"
    OR CommandLine="*stress-ng --vm*" OR CommandLine="*stress-ng --sock*"
    OR CommandLine="*-c 10000*" OR CommandLine="*--concurrency 5000*"
    OR CommandLine="*:(){ :|:*"
  )
  | eval DetectionType="KnownDoSTool"
  | eval RiskIndicator=mvappend(Image, CommandLine)
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, RiskIndicator
)
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
  | bucket span=10m _time
  | stats
      count as ConnectionCount,
      dc(DestinationIp) as UniqueDestIPs,
      dc(DestinationPort) as UniqueDestPorts,
      values(DestinationPort) as Ports
    by _time, host, User, Image, CommandLine
  | where ConnectionCount > 500
  | eval DetectionType="NetworkFlood"
  | eval RiskIndicator="ConnectionCount=".ConnectionCount." UniqueIPs=".UniqueDestIPs
  | table _time, host, User, Image, CommandLine, ConnectionCount, UniqueDestIPs, UniqueDestPorts, Ports, DetectionType, RiskIndicator
)
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | bucket span=5m _time
  | stats
      count as ProcessCount,
      dc(Image) as UniqueExecutables,
      values(Image) as SpawnedImages
    by _time, host, User, ParentImage, ParentCommandLine
  | where ProcessCount > 200 AND UniqueExecutables < 3
  | eval DetectionType="ProcessSpawnExhaustion"
  | eval RiskIndicator="ProcessCount=".ProcessCount." UniqueExe=".UniqueExecutables
  | table _time, host, User, ParentImage, ParentCommandLine, ProcessCount, UniqueExecutables, SpawnedImages, DetectionType, RiskIndicator
)
| sort - _time

Multi-signal Splunk detection for Endpoint DoS using three correlated search branches unioned into a single result set. Branch 1 uses Sysmon Event ID 1 (Process Create) to identify known DoS tool execution by image name and command-line patterns including flood flags, stress tool parameters, and high-concurrency invocations. Branch 2 uses Sysmon Event ID 3 (Network Connection) to bucket external outbound connections in 10-minute windows and flag any process generating more than 500 connections to external IPs. Branch 3 uses Sysmon Event ID 1 to detect fork bomb or process exhaustion: a single parent process spawning more than 200 children using fewer than 3 unique executables within a 5-minute window. The DetectionType field in results identifies which signal fired for analyst triage.

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Performance testing teams running Apache Bench (ab), wrk, or siege against internal load balancers or staging environments during authorized load tests
Site reliability engineers running stress-ng or stress on Linux servers to validate autoscaling under controlled conditions
Security teams using hping3 for legitimate network diagnostic or firewall rule testing
High-throughput legitimate services that maintain large persistent connection pools (CDN proxies, streaming servers)
CI/CD pipeline jobs that spawn many short-lived processes in rapid succession during build phases

Elastic Security (EQL)

eql

// Detection 1: Known DoS tool execution
any where (
  event.category == "process" and event.type == "start" and (
    process.name in ("hping3", "hping", "stress-ng", "stress", "memtester", "ab", "siege", "wrk", "wrk2", "slowloris", "loic", "hoic", "goldeneye", "hulk", "pyloris", "rudy", "xerxes", "torshammer", "mz", "ncrack", "thc-ssl-dos") or
    process.args in ("--flood", "--syn", "--icmp") or
    process.command_line like "*--flood*" or
    process.command_line like "*stress --cpu*" or
    process.command_line like "*stress-ng --cpu*" or
    process.command_line like "*stress-ng --vm*" or
    process.command_line like "*stress-ng --sock*" or
    process.command_line like "*:(){ :|:*" or
    process.command_line like "*-c 10000*" or
    process.command_line like "*--concurrency 5000*"
  )
)

// Detection 2: Network flood — sequence of high outbound connection counts
// Use aggregation query for flood detection:
// sequence by host.name, process.name with maxspan=10m
//   [network where event.type == "connection_attempted"] with runs=500
// Note: Run as aggregation EQL or use ES|QL for threshold-based:
// FROM logs-endpoint.events.network-*
// | WHERE event.type == "connection_attempted"
// | STATS conn_count = COUNT(*), unique_ips = COUNT_DISTINCT(destination.ip) BY host.name, process.name, process.command_line
// | WHERE conn_count > 500

// Detection 3: Process spawn exhaustion
// FROM logs-endpoint.events.process-*
// | WHERE event.type == "start"
// | STATS proc_count = COUNT(*), unique_exe = COUNT_DISTINCT(process.name) BY host.name, process.parent.name, process.parent.command_line
// | WHERE proc_count > 200 AND unique_exe < 3

Detects Endpoint Denial of Service activity via three complementary approaches: (1) execution of known DoS tools such as hping3, stress-ng, LOIC, siege, and wrk by process name or command-line argument patterns; (2) abnormal outbound network connection volume from a single process exceeding 500 connections within 10 minutes indicating a potential flood attack; and (3) rapid process spawning where a single parent spawns more than 200 child processes with fewer than 3 unique executables within 5 minutes, indicating a fork bomb or process exhaustion attack. Maps to MITRE ATT&CK T1499.

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Elastic Endpoint Security (endpoint.events.network) Elastic Agent with endpoint integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-*

False Positives

Legitimate load testing by QA or performance teams using tools like Apache Bench (ab), siege, or wrk against internal staging environments
System administrators running stress-ng or memtester to diagnose hardware issues or validate new server deployments
CI/CD pipeline performance benchmarking jobs that spin up multiple short-lived worker processes rapidly, triggering the process spawn threshold

IBM QRadar (AQL)

sql

// Detection 1: Known DoS tool execution
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  'KnownDoSTool' AS detection_type,
  CONCAT('ProcessName=', "Image") AS risk_indicator
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12 /* Sysmon */
  AND QIDNAME(qid) = 'Process Create'
  AND (
    LOWER("Image") ILIKE '%hping3%' OR LOWER("Image") ILIKE '%hping.exe%'
    OR LOWER("Image") ILIKE '%stress-ng%' OR LOWER("Image") ILIKE '%memtester%'
    OR LOWER("Image") ILIKE '%ab.exe%' OR LOWER("Image") ILIKE '%siege%'
    OR LOWER("Image") ILIKE '%wrk.exe%' OR LOWER("Image") ILIKE '%loic%'
    OR LOWER("Image") ILIKE '%hoic%' OR LOWER("Image") ILIKE '%goldeneye%'
    OR LOWER("Image") ILIKE '%slowloris%' OR LOWER("Image") ILIKE '%torshammer%'
    OR LOWER("Image") ILIKE '%ncrack%' OR LOWER("Image") ILIKE '%thc-ssl-dos%'
    OR LOWER("CommandLine") ILIKE '%--%flood%'
    OR LOWER("CommandLine") ILIKE '%--syn%'
    OR LOWER("CommandLine") ILIKE '%stress --cpu%'
    OR LOWER("CommandLine") ILIKE '%stress-ng --cpu%'
    OR LOWER("CommandLine") ILIKE '%stress-ng --vm%'
    OR LOWER("CommandLine") ILIKE '%stress-ng --sock%'
    OR LOWER("CommandLine") ILIKE '%:(){ :|:%'
    OR LOWER("CommandLine") ILIKE '%-c 10000%'
    OR LOWER("CommandLine") ILIKE '%--concurrency 5000%'
  )
  AND starttime > NOW() - 3600000
UNION ALL
-- Detection 2: Network flood from single process
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  'NetworkFlood' AS detection_type,
  CONCAT('ConnectionCount=', COUNT(*), ' UniqueDestIPs=', COUNT(DISTINCT destinationip)) AS risk_indicator
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) = 'Network connection detected'
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%'
    OR destinationip ILIKE '192.168.%' OR destinationip ILIKE '127.%')
  AND starttime > NOW() - 600000
GROUP BY
  logsourceid, sourceip, username, "Image", "CommandLine"
HAVING COUNT(*) > 500
UNION ALL
-- Detection 3: Process spawn exhaustion
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "ParentImage" AS process_image,
  "ParentCommandLine" AS command_line,
  'ProcessSpawnExhaustion' AS detection_type,
  CONCAT('ProcessCount=', COUNT(*), ' UniqueExe=', COUNT(DISTINCT "Image")) AS risk_indicator
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) = 'Process Create'
  AND starttime > NOW() - 300000
GROUP BY
  logsourceid, sourceip, username, "ParentImage", "ParentCommandLine"
HAVING COUNT(*) > 200 AND COUNT(DISTINCT "Image") < 3
ORDER BY event_time DESC

IBM QRadar AQL detection for Endpoint Denial of Service (T1499) targeting three attack patterns: known DoS tool execution identified by process image name or command-line arguments, high-volume outbound network connection flooding exceeding 500 connections within 10 minutes from a single process to external IPs, and process spawn exhaustion where a single parent spawns over 200 child processes with fewer than 3 distinct executables within 5 minutes. Queries Sysmon event data ingested via QRadar log sources.

high severity medium confidence

Data Sources

IBM QRadar SIEM with Sysmon log source (LOGSOURCETYPEID 12) Windows Sysmon Event ID 1 (Process Create) via Universal DSM or Sysmon DSM Windows Sysmon Event ID 3 (Network Connection) via Universal DSM

Required Tables

events (QRadar normalized event table)

False Positives

Developer or QA workstations running Apache Bench or wrk for legitimate API load testing against development servers, triggering the known tool and network flood rules simultaneously
Automated build systems or test pipelines using stress-ng to validate container resource limits or Kubernetes pod autoscaling behavior
Monitoring agents or endpoint security tools that establish high volumes of short-lived network connections during scanning or telemetry collection, exceeding the 500-connection threshold

Sumo Logic CSE

sql

// Detection 1: Known DoS Tool Execution
_sourceCategory="windows/sysmon" EventCode=1
| where Image matches "*hping3*" OR Image matches "*hping.exe*"
  OR Image matches "*stress-ng*" OR Image matches "*memtester*"
  OR Image matches "*ab.exe" OR Image matches "*siege*"
  OR Image matches "*wrk.exe*" OR Image matches "*loic*"
  OR Image matches "*hoic*" OR Image matches "*goldeneye*"
  OR Image matches "*slowloris*" OR Image matches "*torshammer*"
  OR Image matches "*ncrack*" OR Image matches "*thc-ssl-dos*"
  OR CommandLine matches "*--flood*"
  OR CommandLine matches "*--syn*"
  OR CommandLine matches "*stress --cpu*"
  OR CommandLine matches "*stress-ng --cpu*"
  OR CommandLine matches "*stress-ng --vm*"
  OR CommandLine matches "*stress-ng --sock*"
  OR CommandLine matches "*:(){ :|:*"
  OR CommandLine matches "*-c 10000*"
  OR CommandLine matches "*--concurrency 5000*"
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| concat(Image, " | ", CommandLine) as RiskIndicator
| "KnownDoSTool" as DetectionType

// Detection 2: Network Flood (run as separate query)
// _sourceCategory="windows/sysmon" EventCode=3
// | where !(DestinationIp matches "10.*" OR DestinationIp matches "172.16.*"
//   OR DestinationIp matches "192.168.*" OR DestinationIp matches "127.*")
// | timeslice 10m
// | stats count as ConnectionCount, dcount(DestinationIp) as UniqueDestIPs,
//         dcount(DestinationPort) as UniqueDestPorts
//   by _timeslice, Computer, User, Image, CommandLine
// | where ConnectionCount > 500
// | concat("ConnectionCount=", ConnectionCount, " UniqueIPs=", UniqueDestIPs) as RiskIndicator
// | "NetworkFlood" as DetectionType

// Detection 3: Process Spawn Exhaustion (run as separate query)
// _sourceCategory="windows/sysmon" EventCode=1
// | timeslice 5m
// | stats count as ProcessCount, dcount(Image) as UniqueExecutables,
//         values(Image) as SpawnedImages
//   by _timeslice, Computer, User, ParentImage, ParentCommandLine
// | where ProcessCount > 200 AND UniqueExecutables < 3
// | concat("ProcessCount=", ProcessCount, " UniqueExe=", UniqueExecutables) as RiskIndicator
// | "ProcessSpawnExhaustion" as DetectionType

Sumo Logic detection for Endpoint Denial of Service (T1499) using Sysmon data ingested via the windows/sysmon source category. Three detection branches address: (1) execution of known DoS and stress-testing tools by process image name or command-line argument patterns including flood flags and fork bomb syntax; (2) network connection flooding from a single process exceeding 500 external connections within a 10-minute time slice; and (3) process spawn exhaustion where a parent process generates over 200 child processes with fewer than 3 distinct executable names within 5 minutes. Queries are structured for individual execution or combination via union in a Sumo Logic scheduled search.

high severity high confidence

Data Sources

Sumo Logic with Windows Sysmon collector (EventCode 1 and EventCode 3) Sumo Logic Installed Collector on Windows endpoints with Sysmon operational log source

Required Tables

_sourceCategory=windows/sysmon

False Positives

Security researchers or red team members running controlled stress tests against isolated lab environments using tools like hping3 or siege, which will match known DoS tool names
Large-scale web crawlers, scraping jobs, or integration tests that generate high numbers of outbound HTTP connections within short windows, triggering the network flood threshold
Application servers with a high process fork model (such as pre-fork Apache or uWSGI) that rapidly spawn worker processes on startup or during traffic spikes, triggering the process exhaustion rule

Google Chronicle / SecOps

yaral

rule endpoint_dos_tool_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of known Endpoint DoS tools or command patterns associated with MITRE ATT&CK T1499"
    severity = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499"
    reference = "https://attack.mitre.org/techniques/T1499/"
    created = "2026-04-19"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege\.exe|wrk\.exe|wrk2|loic\.exe|hoic\.exe|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos|xerxes|rudy|pyloris|hulk)`) or
      re.regex($e.target.process.command_line, `(?i)(--flood|--syn\s|stress\s--cpu|stress-ng\s--cpu|stress-ng\s--vm|stress-ng\s--sock|:\(\)\{\s:\|:|fork bomb|-c\s10000|--concurrency\s5000)`) or
      re.regex($e.target.process.file.full_path, `(?i)(hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege\.exe|wrk\.exe|loic\.exe|hoic\.exe|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos)`)
    )
  condition:
    $e
}

rule endpoint_dos_network_flood {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abnormal outbound network connection volume from a single process indicating a potential DoS flood attack — T1499"
    severity = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499"
    reference = "https://attack.mitre.org/techniques/T1499/"
    created = "2026-04-19"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    $hostname = $e.principal.hostname
    $proc = $e.principal.process.file.full_path
  match:
    $hostname, $proc over 10m
  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $unique_dest_ips = count_distinct($e.target.ip)
    $unique_dest_ports = count_distinct($e.target.port)
    $risk_indicator = array_distinct($e.target.ip)
  condition:
    #e > 500
}

rule endpoint_dos_process_exhaustion {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects rapid process spawning from a single parent indicative of fork bomb or process exhaustion attack — T1499"
    severity = "CRITICAL"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499"
    reference = "https://attack.mitre.org/techniques/T1499/"
    created = "2026-04-19"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $parent_proc = $e.principal.process.file.full_path
    $hostname = $e.principal.hostname
    $child_exe = $e.target.process.file.full_path
  match:
    $hostname, $parent_proc over 5m
  outcome:
    $spawn_count = count_distinct($e.metadata.id)
    $unique_child_exe = count_distinct($child_exe)
  condition:
    #e > 200 and $unique_child_exe < 3
}

Three Chronicle YARA-L 2.0 rules covering Endpoint Denial of Service (T1499): (1) endpoint_dos_tool_execution matches PROCESS_LAUNCH events where the process file path or command line contains known DoS tool names or flood/stress argument patterns using regex; (2) endpoint_dos_network_flood uses a 10-minute match window to count outbound NETWORK_CONNECTION events per host and process, triggering when a single process exceeds 500 external connections; (3) endpoint_dos_process_exhaustion uses a 5-minute match window to detect rapid child process spawning from a single parent exceeding 200 spawns with fewer than 3 distinct executable names, indicating a fork bomb or process exhaustion attack. All rules include MITRE ATT&CK metadata aligned with the Impact tactic.

high severity high confidence

Data Sources

Google Chronicle UDM with EDR telemetry (CrowdStrike, Carbon Black, SentinelOne, or Microsoft Defender) Chronicle Ingestion API or forwarder with endpoint process and network events UDM event types: PROCESS_LAUNCH, NETWORK_CONNECTION

Required Tables

UDM events (process_launch, network_connection)

False Positives

Authorized penetration testers using hping3 or siege as part of a scoped engagement — process names will match the known tool list without malicious intent
Network performance monitoring tools or synthetic transaction monitors that generate high outbound connection volumes to external SaaS endpoints for availability checks
High-concurrency application servers (Erlang/OTP, Go goroutine-heavy services, or Node.js cluster mode) that spawn numerous short-lived processes or threads during normal operation, triggering the spawn count threshold

CrowdStrike LogScale (CQL)

cql

// Detection 1: Known DoS Tool Execution
#event_simpleName=ProcessRollup2
| FileName = /hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege|wrk\.exe|wrk2|loic|hoic|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos|xerxes|rudy|pyloris|hulk/i
  OR CommandLine = /--flood|--syn\s|stress\s--cpu|stress-ng\s--cpu|stress-ng\s--vm|stress-ng\s--sock|:\(\)\{\s:\|:|-c\s10000|--concurrency\s5000/i
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName],
    function=[
      count(as=EventCount),
      selectLast(ParentCommandLine),
      selectLast(timestamp, as=LastSeen)
    ]
  )
| DetectionType := "KnownDoSTool"
| RiskIndicator := format("Process=%s | Args=%s", field=FileName, field=CommandLine)
| sort(LastSeen, order=desc)

// Detection 2: Network Flood — high outbound connection count from a single process
// (run as separate query)
// #event_simpleName=NetworkConnectIP4
// | LocalAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
// | groupBy([ComputerName, ImageFileName, UserName],
//     function=[
//       count(as=ConnectionCount),
//       count(RemoteAddressIP4, distinct=true, as=UniqueDestIPs),
//       count(RemotePort, distinct=true, as=UniqueDestPorts)
//     ],
//     limit=max,
//     start=now()-10min
//   )
// | ConnectionCount > 500
// | DetectionType := "NetworkFlood"
// | RiskIndicator := format("ConnectionCount=%s UniqueIPs=%s", field=ConnectionCount, field=UniqueDestIPs)
// | sort(ConnectionCount, order=desc)

// Detection 3: Process Spawn Exhaustion
// (run as separate query)
// #event_simpleName=ProcessRollup2
// | groupBy([ComputerName, ParentBaseFileName, UserName],
//     function=[
//       count(as=ProcessCount),
//       count(FileName, distinct=true, as=UniqueExecutables),
//       collect(FileName, max=10, as=SpawnedExecutables)
//     ],
//     limit=max,
//     start=now()-5min
//   )
// | ProcessCount > 200 AND UniqueExecutables < 3
// | DetectionType := "ProcessSpawnExhaustion"
// | RiskIndicator := format("ProcessCount=%s UniqueExe=%s", field=ProcessCount, field=UniqueExecutables)
// | sort(ProcessCount, order=desc)

CrowdStrike LogScale (Falcon) detection for Endpoint Denial of Service (T1499) using Falcon telemetry. Three detection branches: (1) ProcessRollup2 events matching known DoS tool file names (hping3, stress-ng, LOIC, siege, etc.) or flood/stress command-line arguments using LogScale regex matching, grouped by host and process for deduplication; (2) NetworkConnectIP4 events aggregated over 10 minutes to detect processes generating more than 500 outbound connections to external IPs from a single process, indicating a network flood; (3) ProcessRollup2 events aggregated over 5 minutes to detect single-parent process spawning more than 200 children with fewer than 3 distinct executable names, indicating a fork bomb or process exhaustion attack. All detections leverage CrowdStrike Falcon's native EDR telemetry without requiring additional log sources.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR with LogScale (Humio) integration Falcon event streams: ProcessRollup2, NetworkConnectIP4

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2) NetworkConnectIP4 (#event_simpleName=NetworkConnectIP4)

False Positives

IT operations teams running wrk or Apache Bench (ab) against internal web servers for capacity planning or pre-deployment performance validation, matching both tool name and connection volume rules
Security tooling such as vulnerability scanners or asset inventory agents that enumerate services via high-volume short-lived TCP connections, exceeding the 500-connection threshold
Containerized workloads or serverless function runners (Lambda emulators, Docker-in-Docker) that spawn many identical worker container processes in rapid succession, triggering the process spawn exhaustion rule with low unique executable diversity

Sigma rule & cross-platform mapping

The detection logic for Endpoint Denial of Service (T1499) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1499 Sigma rules on detection.fyi

Platform-specific guides for T1499

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-19 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1CPU Exhaustion with stress-ng (Linux)
Expected signal: Sysmon for Linux Event ID 1 (Process Create): Image=/usr/bin/stress-ng, CommandLine contains '--cpu 0 --cpu-load 100'. Linux audit log (execve syscall): stress-ng invocation. /proc/loadavg will show load equal to number of CPU cores during test window. System CPU utilization in monitoring tools should spike to 100%.
Test 2HTTP Flood Simulation with Apache Bench (Windows/Linux)
Expected signal: Sysmon Event ID 1: Image=ab.exe, CommandLine contains '-n 50000 -c 500'. Sysmon Event ID 3: Rapid outbound connections to 127.0.0.1:80. NetworkFlood branch will aggregate these into the 10-minute bucket. Windows Firewall log entries for loopback connections may appear if firewall logging is enabled.
Test 3SYN Flood Simulation with hping3 (Linux — requires root)
Expected signal: Sysmon for Linux Event ID 1: Image=/usr/sbin/hping3, CommandLine contains '--syn --rand-source --flood'. Linux audit log: execve syscall for hping3 with full arguments. Network statistics: netstat or ss will show spike in SYN connections on the loopback interface. /proc/net/tcp will show many half-open connections.
Test 4Fork Bomb Execution — Limited Variant (Linux)
Expected signal: Sysmon for Linux Event ID 1: 50+ Process Create events from the same parent bash PID within seconds, all spawning 'sleep' processes. ProcessSpawnExhaustion bucket will accumulate ProcessCount=50+ with UniqueExecutables=1 (sleep). Parent process command line contains the for loop.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1499 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Endpoint Denial of Service

What is T1499 Endpoint Denial of Service?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1499

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Impact

Popular Detections

What is T1499 Endpoint Denial of Service?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1499

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox