T1499

Endpoint Denial of Service

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting system resources (CPU, memory, disk, network connections) or exploiting the system to cause a persistent crash condition. Unlike network-saturating DDoS, Endpoint DoS targets the application stack layers hosted on the victim system — including OS, web servers, DNS, databases, and web applications. Attackers may use IP spoofing, botnets, or direct tools such as hping3, stress-ng, Apache Bench, and custom scripts to generate floods. Observed threat actors include Sandworm Team (disrupting Georgian government websites) and ZxShell malware (SYN flood capability). This detection covers the execution of known DoS tools, abnormal network connection volume from single processes, and resource exhaustion indicators.

Microsoft Sentinel / Defender

kusto

let KnownDoSTools = dynamic([
  "hping3", "hping", "stress-ng", "stress", "memtester",
  "ab.exe", "ab", "siege", "wrk", "wrk2", "slowloris",
  "loic", "hoic", "goldeneye", "hulk", "pyloris",
  "torsocks", "rudy", "xerxes", "torshammer",
  "mz", "ncrack", "thc-ssl-dos"
]);
let DoSCommandPatterns = dynamic([
  "--flood", "--syn", "-S --flood", "--icmp --flood",
  "stress --cpu", "stress --vm", "stress --io", "stress-ng --cpu",
  "stress-ng --vm", "stress-ng --sock", "--workers",
  ":(){ :|:", "fork bomb",
  "-c 10000", "-n 100000", "--concurrency 5000"
]);
let HighConnectionThreshold = 500;
// Detection 1: Known DoS tool execution
let DoSToolExecution =
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName has_any (KnownDoSTools)
   or ProcessCommandLine has_any (DoSCommandPatterns)
| extend DetectionType = "KnownDoSTool"
| extend RiskIndicator = strcat(FileName, " | ", ProcessCommandLine);
// Detection 2: Abnormal outbound connection volume from a single process (potential flood)
let NetworkFlood =
DeviceNetworkEvents
| where Timestamp > ago(10m)
| where ActionType in ("ConnectionSuccess", "ConnectionRequest", "ConnectionFailed")
| summarize
    ConnectionCount = count(),
    UniqueDestIPs = dcount(RemoteIP),
    UniqueDestPorts = dcount(RemotePort),
    Protocols = make_set(Protocol),
    EarliestConn = min(Timestamp),
    LatestConn = max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| where ConnectionCount > HighConnectionThreshold
| extend DetectionType = "NetworkFlood"
| extend RiskIndicator = strcat("ConnectionCount=", ConnectionCount, " UniqueIPs=", UniqueDestIPs);
// Detection 3: Rapid fork / process spawning (potential fork bomb or process exhaustion)
let ProcessExhaustion =
DeviceProcessEvents
| where Timestamp > ago(5m)
| summarize
    ProcessCount = count(),
    UniqueExecutables = dcount(FileName),
    ParentProcesses = make_set(InitiatingProcessFileName, 5)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName
| where ProcessCount > 200 and UniqueExecutables < 3
| extend DetectionType = "ProcessSpawnExhaustion"
| extend RiskIndicator = strcat("ProcessCount=", ProcessCount, " UniqueExe=", UniqueExecutables);
// Union all detections
DoSToolExecution
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          DetectionType, FileName, ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, RiskIndicator
| union (
    NetworkFlood
    | project
        Timestamp=EarliestConn, DeviceName,
        AccountName=InitiatingProcessAccountName,
        DetectionType,
        FileName=InitiatingProcessFileName,
        ProcessCommandLine=InitiatingProcessCommandLine,
        InitiatingProcessFileName="",
        InitiatingProcessCommandLine="",
        RiskIndicator
)
| union (
    ProcessExhaustion
    | project
        Timestamp=now(), DeviceName,
        AccountName=InitiatingProcessAccountName,
        DetectionType,
        FileName=InitiatingProcessFileName,
        ProcessCommandLine="",
        InitiatingProcessFileName="",
        InitiatingProcessCommandLine="",
        RiskIndicator
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Performance testing teams running Apache Bench (ab), wrk, or siege against internal load balancers or staging environments during authorized load tests
Site reliability engineers running stress-ng or stress on Linux servers to validate autoscaling or hardware under controlled conditions
Security teams using hping3 for legitimate network diagnostic or firewall rule testing in authorized environments
High-throughput legitimate services (CDN proxies, load balancers, streaming servers) that maintain large persistent connection pools
Deployment automation or CI/CD pipeline jobs that spawn many short-lived processes in rapid succession during build or test phases

Splunk

spl

| union
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    Image="*\\hping3.exe" OR Image="*\\hping.exe" OR Image="*\\stress-ng.exe"
    OR Image="*\\ab.exe" OR Image="*\\siege.exe" OR Image="*\\wrk.exe"
    OR Image="*\\loic.exe" OR Image="*\\hoic.exe" OR Image="*\\goldeneye.py"
    OR CommandLine="*--flood*" OR CommandLine="*--syn*"
    OR CommandLine="*stress --cpu*" OR CommandLine="*stress-ng --cpu*"
    OR CommandLine="*stress-ng --vm*" OR CommandLine="*stress-ng --sock*"
    OR CommandLine="*-c 10000*" OR CommandLine="*--concurrency 5000*"
    OR CommandLine="*:(){ :|:*"
  )
  | eval DetectionType="KnownDoSTool"
  | eval RiskIndicator=mvappend(Image, CommandLine)
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, RiskIndicator
)
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
  | bucket span=10m _time
  | stats
      count as ConnectionCount,
      dc(DestinationIp) as UniqueDestIPs,
      dc(DestinationPort) as UniqueDestPorts,
      values(DestinationPort) as Ports
    by _time, host, User, Image, CommandLine
  | where ConnectionCount > 500
  | eval DetectionType="NetworkFlood"
  | eval RiskIndicator="ConnectionCount=".ConnectionCount." UniqueIPs=".UniqueDestIPs
  | table _time, host, User, Image, CommandLine, ConnectionCount, UniqueDestIPs, UniqueDestPorts, Ports, DetectionType, RiskIndicator
)
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | bucket span=5m _time
  | stats
      count as ProcessCount,
      dc(Image) as UniqueExecutables,
      values(Image) as SpawnedImages
    by _time, host, User, ParentImage, ParentCommandLine
  | where ProcessCount > 200 AND UniqueExecutables < 3
  | eval DetectionType="ProcessSpawnExhaustion"
  | eval RiskIndicator="ProcessCount=".ProcessCount." UniqueExe=".UniqueExecutables
  | table _time, host, User, ParentImage, ParentCommandLine, ProcessCount, UniqueExecutables, SpawnedImages, DetectionType, RiskIndicator
)
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Performance testing teams running Apache Bench (ab), wrk, or siege against internal load balancers or staging environments during authorized load tests
Site reliability engineers running stress-ng or stress on Linux servers to validate autoscaling under controlled conditions
Security teams using hping3 for legitimate network diagnostic or firewall rule testing
High-throughput legitimate services that maintain large persistent connection pools (CDN proxies, streaming servers)
CI/CD pipeline jobs that spawn many short-lived processes in rapid succession during build phases

Elastic Security (EQL)

eql

// Detection 1: Known DoS tool execution
any where (
  event.category == "process" and event.type == "start" and (
    process.name in ("hping3", "hping", "stress-ng", "stress", "memtester", "ab", "siege", "wrk", "wrk2", "slowloris", "loic", "hoic", "goldeneye", "hulk", "pyloris", "rudy", "xerxes", "torshammer", "mz", "ncrack", "thc-ssl-dos") or
    process.args in ("--flood", "--syn", "--icmp") or
    process.command_line like "*--flood*" or
    process.command_line like "*stress --cpu*" or
    process.command_line like "*stress-ng --cpu*" or
    process.command_line like "*stress-ng --vm*" or
    process.command_line like "*stress-ng --sock*" or
    process.command_line like "*:(){ :|:*" or
    process.command_line like "*-c 10000*" or
    process.command_line like "*--concurrency 5000*"
  )
)

// Detection 2: Network flood — sequence of high outbound connection counts
// Use aggregation query for flood detection:
// sequence by host.name, process.name with maxspan=10m
//   [network where event.type == "connection_attempted"] with runs=500
// Note: Run as aggregation EQL or use ES|QL for threshold-based:
// FROM logs-endpoint.events.network-*
// | WHERE event.type == "connection_attempted"
// | STATS conn_count = COUNT(*), unique_ips = COUNT_DISTINCT(destination.ip) BY host.name, process.name, process.command_line
// | WHERE conn_count > 500

// Detection 3: Process spawn exhaustion
// FROM logs-endpoint.events.process-*
// | WHERE event.type == "start"
// | STATS proc_count = COUNT(*), unique_exe = COUNT_DISTINCT(process.name) BY host.name, process.parent.name, process.parent.command_line
// | WHERE proc_count > 200 AND unique_exe < 3

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Elastic Endpoint Security (endpoint.events.network) Elastic Agent with endpoint integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-*

False Positives

Legitimate load testing by QA or performance teams using tools like Apache Bench (ab), siege, or wrk against internal staging environments
System administrators running stress-ng or memtester to diagnose hardware issues or validate new server deployments
CI/CD pipeline performance benchmarking jobs that spin up multiple short-lived worker processes rapidly, triggering the process spawn threshold

IBM QRadar (AQL)

sql

// Detection 1: Known DoS tool execution
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  'KnownDoSTool' AS detection_type,
  CONCAT('ProcessName=', "Image") AS risk_indicator
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12 /* Sysmon */
  AND QIDNAME(qid) = 'Process Create'
  AND (
    LOWER("Image") ILIKE '%hping3%' OR LOWER("Image") ILIKE '%hping.exe%'
    OR LOWER("Image") ILIKE '%stress-ng%' OR LOWER("Image") ILIKE '%memtester%'
    OR LOWER("Image") ILIKE '%ab.exe%' OR LOWER("Image") ILIKE '%siege%'
    OR LOWER("Image") ILIKE '%wrk.exe%' OR LOWER("Image") ILIKE '%loic%'
    OR LOWER("Image") ILIKE '%hoic%' OR LOWER("Image") ILIKE '%goldeneye%'
    OR LOWER("Image") ILIKE '%slowloris%' OR LOWER("Image") ILIKE '%torshammer%'
    OR LOWER("Image") ILIKE '%ncrack%' OR LOWER("Image") ILIKE '%thc-ssl-dos%'
    OR LOWER("CommandLine") ILIKE '%--%flood%'
    OR LOWER("CommandLine") ILIKE '%--syn%'
    OR LOWER("CommandLine") ILIKE '%stress --cpu%'
    OR LOWER("CommandLine") ILIKE '%stress-ng --cpu%'
    OR LOWER("CommandLine") ILIKE '%stress-ng --vm%'
    OR LOWER("CommandLine") ILIKE '%stress-ng --sock%'
    OR LOWER("CommandLine") ILIKE '%:(){ :|:%'
    OR LOWER("CommandLine") ILIKE '%-c 10000%'
    OR LOWER("CommandLine") ILIKE '%--concurrency 5000%'
  )
  AND starttime > NOW() - 3600000
UNION ALL
-- Detection 2: Network flood from single process
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  'NetworkFlood' AS detection_type,
  CONCAT('ConnectionCount=', COUNT(*), ' UniqueDestIPs=', COUNT(DISTINCT destinationip)) AS risk_indicator
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) = 'Network connection detected'
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%'
    OR destinationip ILIKE '192.168.%' OR destinationip ILIKE '127.%')
  AND starttime > NOW() - 600000
GROUP BY
  logsourceid, sourceip, username, "Image", "CommandLine"
HAVING COUNT(*) > 500
UNION ALL
-- Detection 3: Process spawn exhaustion
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "ParentImage" AS process_image,
  "ParentCommandLine" AS command_line,
  'ProcessSpawnExhaustion' AS detection_type,
  CONCAT('ProcessCount=', COUNT(*), ' UniqueExe=', COUNT(DISTINCT "Image")) AS risk_indicator
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) = 'Process Create'
  AND starttime > NOW() - 300000
GROUP BY
  logsourceid, sourceip, username, "ParentImage", "ParentCommandLine"
HAVING COUNT(*) > 200 AND COUNT(DISTINCT "Image") < 3
ORDER BY event_time DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM with Sysmon log source (LOGSOURCETYPEID 12) Windows Sysmon Event ID 1 (Process Create) via Universal DSM or Sysmon DSM Windows Sysmon Event ID 3 (Network Connection) via Universal DSM

Required Tables

events (QRadar normalized event table)

False Positives

Developer or QA workstations running Apache Bench or wrk for legitimate API load testing against development servers, triggering the known tool and network flood rules simultaneously
Automated build systems or test pipelines using stress-ng to validate container resource limits or Kubernetes pod autoscaling behavior
Monitoring agents or endpoint security tools that establish high volumes of short-lived network connections during scanning or telemetry collection, exceeding the 500-connection threshold

Sumo Logic CSE

sql

// Detection 1: Known DoS Tool Execution
_sourceCategory="windows/sysmon" EventCode=1
| where Image matches "*hping3*" OR Image matches "*hping.exe*"
  OR Image matches "*stress-ng*" OR Image matches "*memtester*"
  OR Image matches "*ab.exe" OR Image matches "*siege*"
  OR Image matches "*wrk.exe*" OR Image matches "*loic*"
  OR Image matches "*hoic*" OR Image matches "*goldeneye*"
  OR Image matches "*slowloris*" OR Image matches "*torshammer*"
  OR Image matches "*ncrack*" OR Image matches "*thc-ssl-dos*"
  OR CommandLine matches "*--flood*"
  OR CommandLine matches "*--syn*"
  OR CommandLine matches "*stress --cpu*"
  OR CommandLine matches "*stress-ng --cpu*"
  OR CommandLine matches "*stress-ng --vm*"
  OR CommandLine matches "*stress-ng --sock*"
  OR CommandLine matches "*:(){ :|:*"
  OR CommandLine matches "*-c 10000*"
  OR CommandLine matches "*--concurrency 5000*"
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| concat(Image, " | ", CommandLine) as RiskIndicator
| "KnownDoSTool" as DetectionType

// Detection 2: Network Flood (run as separate query)
// _sourceCategory="windows/sysmon" EventCode=3
// | where !(DestinationIp matches "10.*" OR DestinationIp matches "172.16.*"
//   OR DestinationIp matches "192.168.*" OR DestinationIp matches "127.*")
// | timeslice 10m
// | stats count as ConnectionCount, dcount(DestinationIp) as UniqueDestIPs,
//         dcount(DestinationPort) as UniqueDestPorts
//   by _timeslice, Computer, User, Image, CommandLine
// | where ConnectionCount > 500
// | concat("ConnectionCount=", ConnectionCount, " UniqueIPs=", UniqueDestIPs) as RiskIndicator
// | "NetworkFlood" as DetectionType

// Detection 3: Process Spawn Exhaustion (run as separate query)
// _sourceCategory="windows/sysmon" EventCode=1
// | timeslice 5m
// | stats count as ProcessCount, dcount(Image) as UniqueExecutables,
//         values(Image) as SpawnedImages
//   by _timeslice, Computer, User, ParentImage, ParentCommandLine
// | where ProcessCount > 200 AND UniqueExecutables < 3
// | concat("ProcessCount=", ProcessCount, " UniqueExe=", UniqueExecutables) as RiskIndicator
// | "ProcessSpawnExhaustion" as DetectionType

high severity high confidence

Data Sources

Sumo Logic with Windows Sysmon collector (EventCode 1 and EventCode 3) Sumo Logic Installed Collector on Windows endpoints with Sysmon operational log source

Required Tables

_sourceCategory=windows/sysmon

False Positives

Security researchers or red team members running controlled stress tests against isolated lab environments using tools like hping3 or siege, which will match known DoS tool names
Large-scale web crawlers, scraping jobs, or integration tests that generate high numbers of outbound HTTP connections within short windows, triggering the network flood threshold
Application servers with a high process fork model (such as pre-fork Apache or uWSGI) that rapidly spawn worker processes on startup or during traffic spikes, triggering the process exhaustion rule

Google Chronicle / SecOps

yaral

rule endpoint_dos_tool_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of known Endpoint DoS tools or command patterns associated with MITRE ATT&CK T1499"
    severity = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499"
    reference = "https://attack.mitre.org/techniques/T1499/"
    created = "2026-04-19"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege\.exe|wrk\.exe|wrk2|loic\.exe|hoic\.exe|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos|xerxes|rudy|pyloris|hulk)`) or
      re.regex($e.target.process.command_line, `(?i)(--flood|--syn\s|stress\s--cpu|stress-ng\s--cpu|stress-ng\s--vm|stress-ng\s--sock|:\(\)\{\s:\|:|fork bomb|-c\s10000|--concurrency\s5000)`) or
      re.regex($e.target.process.file.full_path, `(?i)(hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege\.exe|wrk\.exe|loic\.exe|hoic\.exe|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos)`)
    )
  condition:
    $e
}

rule endpoint_dos_network_flood {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abnormal outbound network connection volume from a single process indicating a potential DoS flood attack — T1499"
    severity = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499"
    reference = "https://attack.mitre.org/techniques/T1499/"
    created = "2026-04-19"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    $hostname = $e.principal.hostname
    $proc = $e.principal.process.file.full_path
  match:
    $hostname, $proc over 10m
  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $unique_dest_ips = count_distinct($e.target.ip)
    $unique_dest_ports = count_distinct($e.target.port)
    $risk_indicator = array_distinct($e.target.ip)
  condition:
    #e > 500
}

rule endpoint_dos_process_exhaustion {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects rapid process spawning from a single parent indicative of fork bomb or process exhaustion attack — T1499"
    severity = "CRITICAL"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499"
    reference = "https://attack.mitre.org/techniques/T1499/"
    created = "2026-04-19"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $parent_proc = $e.principal.process.file.full_path
    $hostname = $e.principal.hostname
    $child_exe = $e.target.process.file.full_path
  match:
    $hostname, $parent_proc over 5m
  outcome:
    $spawn_count = count_distinct($e.metadata.id)
    $unique_child_exe = count_distinct($child_exe)
  condition:
    #e > 200 and $unique_child_exe < 3
}

high severity high confidence

Data Sources

Google Chronicle UDM with EDR telemetry (CrowdStrike, Carbon Black, SentinelOne, or Microsoft Defender) Chronicle Ingestion API or forwarder with endpoint process and network events UDM event types: PROCESS_LAUNCH, NETWORK_CONNECTION

Required Tables

UDM events (process_launch, network_connection)

False Positives

Authorized penetration testers using hping3 or siege as part of a scoped engagement — process names will match the known tool list without malicious intent
Network performance monitoring tools or synthetic transaction monitors that generate high outbound connection volumes to external SaaS endpoints for availability checks
High-concurrency application servers (Erlang/OTP, Go goroutine-heavy services, or Node.js cluster mode) that spawn numerous short-lived processes or threads during normal operation, triggering the spawn count threshold

CrowdStrike LogScale (CQL)

cql

// Detection 1: Known DoS Tool Execution
#event_simpleName=ProcessRollup2
| FileName = /hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege|wrk\.exe|wrk2|loic|hoic|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos|xerxes|rudy|pyloris|hulk/i
  OR CommandLine = /--flood|--syn\s|stress\s--cpu|stress-ng\s--cpu|stress-ng\s--vm|stress-ng\s--sock|:\(\)\{\s:\|:|-c\s10000|--concurrency\s5000/i
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName],
    function=[
      count(as=EventCount),
      selectLast(ParentCommandLine),
      selectLast(timestamp, as=LastSeen)
    ]
  )
| DetectionType := "KnownDoSTool"
| RiskIndicator := format("Process=%s | Args=%s", field=FileName, field=CommandLine)
| sort(LastSeen, order=desc)

// Detection 2: Network Flood — high outbound connection count from a single process
// (run as separate query)
// #event_simpleName=NetworkConnectIP4
// | LocalAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
// | groupBy([ComputerName, ImageFileName, UserName],
//     function=[
//       count(as=ConnectionCount),
//       count(RemoteAddressIP4, distinct=true, as=UniqueDestIPs),
//       count(RemotePort, distinct=true, as=UniqueDestPorts)
//     ],
//     limit=max,
//     start=now()-10min
//   )
// | ConnectionCount > 500
// | DetectionType := "NetworkFlood"
// | RiskIndicator := format("ConnectionCount=%s UniqueIPs=%s", field=ConnectionCount, field=UniqueDestIPs)
// | sort(ConnectionCount, order=desc)

// Detection 3: Process Spawn Exhaustion
// (run as separate query)
// #event_simpleName=ProcessRollup2
// | groupBy([ComputerName, ParentBaseFileName, UserName],
//     function=[
//       count(as=ProcessCount),
//       count(FileName, distinct=true, as=UniqueExecutables),
//       collect(FileName, max=10, as=SpawnedExecutables)
//     ],
//     limit=max,
//     start=now()-5min
//   )
// | ProcessCount > 200 AND UniqueExecutables < 3
// | DetectionType := "ProcessSpawnExhaustion"
// | RiskIndicator := format("ProcessCount=%s UniqueExe=%s", field=ProcessCount, field=UniqueExecutables)
// | sort(ProcessCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR with LogScale (Humio) integration Falcon event streams: ProcessRollup2, NetworkConnectIP4

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2) NetworkConnectIP4 (#event_simpleName=NetworkConnectIP4)

False Positives

IT operations teams running wrk or Apache Bench (ab) against internal web servers for capacity planning or pre-deployment performance validation, matching both tool name and connection volume rules
Security tooling such as vulnerability scanners or asset inventory agents that enumerate services via high-volume short-lived TCP connections, exceeding the 500-connection threshold
Containerized workloads or serverless function runners (Lambda emulators, Docker-in-Docker) that spawn many identical worker container processes in rapid succession, triggering the process spawn exhaustion rule with low unique executable diversity

Last updated: 2026-04-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1499 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Endpoint Denial of Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Impact

Popular Detections