T1499.001

OS Exhaustion Flood

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). OS exhaustion floods do not need to deplete physical hardware resources—they exhaust OS-imposed limits on concurrent connections and state tracking. SYN floods send excessive TCP SYN packets without completing the three-way handshake, filling the OS half-open connection backlog queue and preventing new legitimate TCP connections from being established. ACK floods send packets referencing non-existent connections, forcing the OS to perform a full TCP state table search for each packet, causing CPU and memory exhaustion that degrades or stops service. Both techniques can render any TCP-based service unavailable on the targeted endpoint.

Microsoft Sentinel / Defender

kusto

// Detect OS Exhaustion Flood — SYN floods, ACK floods, TCP state exhaustion
// Branch 1: Network security device alerts via CommonSecurityLog (Firewall, IDS, IPS)
let FloodSignatures = dynamic([
    "syn flood", "ack flood", "tcp flood", "tcp state exhaustion",
    "half-open", "connection table full", "syn attack", "synflood",
    "tcp exhaustion", "possible syn flooding", "syn cookie",
    "incomplete handshake", "dos tcp", "ddos tcp"
]);
let NWSAlerts = CommonSecurityLog
| where TimeGenerated > ago(1h)
| where Activity has_any (FloodSignatures)
    or Message has_any (FloodSignatures)
    or DeviceEventClassID has_any ("DOS", "DDOS", "FLOOD", "SYN_ATTACK", "TCP_EXHAUST")
| extend AttackType = case(
    Activity has_any ("syn flood", "syn attack", "synflood") or Message has_any ("syn flood", "syn attack"),
        "SYN Flood",
    Activity has_any ("ack flood") or Message has_any ("ack flood"),
        "ACK Flood",
    Activity has_any ("tcp flood", "tcp exhaustion") or Message has_any ("tcp exhaustion", "tcp flood"),
        "TCP State Exhaustion",
    Message has_any ("half-open", "connection table full"),
        "Half-Open Queue Exhaustion",
    "OS Exhaustion Flood"
)
| extend TargetAsset = coalesce(DestinationHostName, DestinationIP, "Unknown")
| extend SourceLabel = "network-device"
| summarize
    AlertCount = count(),
    UniqueSourceIPs = dcount(SourceIP),
    SourceIPSample = make_set(SourceIP, 10),
    TargetPorts = make_set(DestinationPort, 10),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    AttackTypes = make_set(AttackType, 5)
  by TargetAsset, DeviceVendor, DeviceProduct, SourceLabel
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend IsDDoS = iff(UniqueSourceIPs > 10, true, false)
| project FirstSeen, LastSeen, DurationMinutes, TargetAsset, AttackTypes,
    AlertCount, UniqueSourceIPs, SourceIPSample, TargetPorts,
    IsDDoS, DeviceVendor, DeviceProduct, SourceLabel;
// Branch 2: Linux kernel TCP SYN flood and conntrack table exhaustion via Syslog
let KernelAlerts = Syslog
| where TimeGenerated > ago(1h)
| where Facility == "kern"
| where SyslogMessage has_any (
    "TCP: request_sock_TCP:",
    "Possible SYN flooding on port",
    "sending cookies",
    "TCP: drop open request from",
    "nf_conntrack: table full, dropping packet",
    "ip_conntrack: table full, dropping packet",
    "possible SYN attack",
    "TCP: too many of orphaned sockets"
)
| extend AttackType = case(
    SyslogMessage has_any ("SYN flooding", "SYN attack", "sending cookies", "request_sock_TCP"),
        "SYN Flood - Linux Kernel Alert",
    SyslogMessage has_any ("nf_conntrack", "ip_conntrack"),
        "Connection Tracking Table Full",
    SyslogMessage has "orphaned sockets",
        "TCP Orphaned Socket Exhaustion",
    "TCP State Exhaustion - Linux Kernel"
)
| summarize
    AlertCount = count(),
    UniqueSourceIPs = int(0),
    SourceIPSample = dynamic([]),
    TargetPorts = dynamic([]),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    AttackTypes = make_set(AttackType, 5)
  by TargetAsset = Computer, DeviceVendor = "Linux", DeviceProduct = "Kernel TCP Stack",
     SourceLabel = "linux-kernel"
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend IsDDoS = false
| project FirstSeen, LastSeen, DurationMinutes, TargetAsset, AttackTypes,
    AlertCount, UniqueSourceIPs, SourceIPSample, TargetPorts,
    IsDDoS, DeviceVendor, DeviceProduct, SourceLabel;
NWSAlerts
| union KernelAlerts
| where AlertCount >= 3
| sort by AlertCount desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Traffic Content Sensor Health: Host Status CommonSecurityLog from network devices (Firewall, IDS, IPS) Syslog from Linux kernel

Required Tables

CommonSecurityLog Syslog

False Positives

Legitimate high-traffic web servers receiving organic traffic spikes from CDN edge nodes, load testing campaigns, or major product launches can trigger connection count thresholds in IPS/IDS signatures
Network security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7, nmap) performing broad TCP port scans may generate SYN flood-like signatures on IPS/IDS devices when run at high rates
Cloud auto-scaling events and health check storms from load balancers (AWS ELB, Azure Application Gateway) can produce connection bursts that resemble early-stage floods from the perspective of perimeter devices
Misconfigured network monitoring tools performing high-frequency TCP keepalive probes may trigger half-open connection alerts on target systems
Software bugs causing TCP connection leaks or aggressive retry storms in microservices can mimic flood patterns, especially triggering Linux kernel nf_conntrack table full warnings in high-throughput environments

Splunk

spl

// Detect OS Exhaustion Flood via syslog kernel messages and network device alerts
// Branch 1: Linux kernel SYN flood and connection tracking exhaustion
(
    (index=linux_logs OR index=syslog OR index=os) sourcetype=syslog facility=kern
    | eval message=lower(_raw)
    | eval SYNFloodKernel=if(match(message, "(possible syn flooding|tcp: request_sock_tcp|sending cookies|tcp: drop open request|possible syn attack|syn attack)"), 1, 0)
    | eval ConnTrackFull=if(match(message, "(nf_conntrack.*table full|ip_conntrack.*table full|connection tracking.*full)"), 1, 0)
    | eval OrphanedSockets=if(match(message, "(tcp.*orphaned|orphaned sockets.*exceeded)"), 1, 0)
    | eval SuspicionScore=SYNFloodKernel + ConnTrackFull + OrphanedSockets
    | where SuspicionScore > 0
    | eval AttackType=case(
        SYNFloodKernel=1, "SYN Flood - Linux Kernel Alert",
        ConnTrackFull=1, "Connection Tracking Table Full",
        OrphanedSockets=1, "TCP Orphaned Socket Exhaustion",
        true(), "OS TCP Exhaustion"
      )
    | eval DataSource="linux-kernel"
    | table _time, host, AttackType, DataSource, _raw, SYNFloodKernel, ConnTrackFull, OrphanedSockets, SuspicionScore
)
| append [
    // Branch 2: Network device flood detection (Cisco ASA, Palo Alto, Juniper, CheckPoint, Fortinet)
    (index=network OR index=firewall OR index=ids OR index=ips)
        (sourcetype=cisco:asa OR sourcetype="pan:threat" OR sourcetype="pan:traffic"
         OR sourcetype=juniper:junos OR sourcetype=checkpoint:syslog
         OR sourcetype=fortigate_traffic OR sourcetype=syslog)
    | eval message=lower(_raw)
    | eval SYNFloodNW=if(match(message, "(syn flood|syn attack|synflood|syn-flood|half-open.*exceed)"), 1, 0)
    | eval ACKFloodNW=if(match(message, "(ack flood|ack attack|ackflood|ack-flood)"), 1, 0)
    | eval TCPExhaustionNW=if(match(message, "(tcp.*exhaust|tcp.*state.*exhaust|connection.*table.*full|tcp.*flood|dos.*tcp|ddos.*tcp|tcp.*half.open)"), 1, 0)
    | eval SuspicionScore=SYNFloodNW + ACKFloodNW + TCPExhaustionNW
    | where SuspicionScore > 0
    | eval AttackType=case(
        SYNFloodNW=1 AND ACKFloodNW=0, "SYN Flood - Network Device Alert",
        ACKFloodNW=1 AND SYNFloodNW=0, "ACK Flood - Network Device Alert",
        SYNFloodNW=1 AND ACKFloodNW=1, "Combined SYN/ACK Flood",
        TCPExhaustionNW=1, "TCP State Exhaustion - Network Device Alert",
        true(), "OS Exhaustion Flood"
      )
    | eval DataSource="network-device"
    | table _time, host, AttackType, DataSource, _raw, SYNFloodNW, ACKFloodNW, TCPExhaustionNW, SuspicionScore
]
| stats count as AlertCount, values(AttackType) as AttackTypes, max(SuspicionScore) as MaxScore,
    earliest(_time) as FirstSeen, latest(_time) as LastSeen
  by host, DataSource
| where AlertCount >= 3
| eval DurationSeconds=LastSeen - FirstSeen
| table FirstSeen, LastSeen, DurationSeconds, host, AttackTypes, AlertCount, MaxScore, DataSource
| sort - AlertCount

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Traffic Content Linux syslog kernel messages Network device logs (firewall, IPS, IDS)

Required Sourcetypes

syslog cisco:asa pan:threat juniper:junos checkpoint:syslog fortigate_traffic

False Positives

Legitimate high-traffic web servers receiving organic traffic spikes from CDN edge nodes, load testing campaigns, or major product launches can trigger connection count thresholds in IPS/IDS signatures
Network security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7, nmap) performing broad TCP port scans at high rates generate SYN flood-like signatures on perimeter network devices
Cloud auto-scaling events and health check storms from load balancers can produce connection bursts that resemble early-stage floods, especially triggering Linux kernel nf_conntrack table full warnings
Misconfigured network monitoring tools performing high-frequency TCP keepalive probes may trigger half-open connection alerts and SYN flood signatures on IDS/IPS devices
Software-level TCP connection leaks or aggressive retry loops in microservices can mimic OS-level flood conditions, generating identical kernel log messages without an external attacker

Elastic Security (EQL)

eql

// OS Exhaustion Flood — SYN/ACK floods, TCP state exhaustion via Elastic EQL
// Branch 1: Linux kernel syslog messages indicating SYN flood or conntrack exhaustion
any where event.dataset == "system.syslog"
  and (
    message like~ "*possible syn flooding*"
    or message like~ "*tcp: request_sock_tcp*"
    or message like~ "*sending cookies*"
    or message like~ "*tcp: drop open request*"
    or message like~ "*nf_conntrack*table full*"
    or message like~ "*ip_conntrack*table full*"
    or message like~ "*possible syn attack*"
    or message like~ "*tcp*orphaned*"
  )

// Branch 2: Network device flood alerts via firewall/IDS logs
any where event.category == "network"
  and event.dataset in ("cisco_asa.log", "paloalto_panos.firewall", "fortinet.firewall", "juniper.junos", "checkpoint.firewall")
  and (
    message like~ "*syn flood*"
    or message like~ "*ack flood*"
    or message like~ "*tcp flood*"
    or message like~ "*half-open*exceed*"
    or message like~ "*tcp*exhaustion*"
    or message like~ "*connection table full*"
    or message like~ "*synflood*"
    or message like~ "*syn attack*"
    or message like~ "*dos tcp*"
    or message like~ "*ddos tcp*"
  )

// Branch 3: Sequence — rapid repeated inbound TCP connections from many sources to same target (sensor data)
sequence by destination.ip with maxspan=1m
  [network where network.transport == "tcp" and network.direction == "inbound"
   and not source.ip == destination.ip] with runs=500

high severity medium confidence

Data Sources

Linux syslog (kern facility) Cisco ASA Palo Alto Networks NGFW Fortinet FortiGate Juniper JunOS Check Point firewall Network packet capture (Packetbeat)

Required Tables

logs-system.syslog-* logs-cisco_asa.log-* logs-paloalto_panos.firewall-* logs-fortinet.firewall-* logs-network_traffic.*

False Positives

Legitimate high-traffic web services experiencing flash crowd events may trigger the high-volume TCP connection sequence rule
Load testing tools (e.g., hping3, ab, wrk) used by internal performance teams against dev/staging endpoints will match SYN flood kernel messages
Misconfigured conntrack table sizes on low-memory virtual machines may log 'nf_conntrack: table full' during normal peak traffic without active attack

IBM QRadar (AQL)

sql

// OS Exhaustion Flood — SYN/ACK floods, TCP state exhaustion via IBM QRadar AQL
// Branch 1: Syslog kernel flood indicators and conntrack exhaustion
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(endtime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS SourceIP,
  destinationip AS TargetIP,
  destinationport AS TargetPort,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER(UTF8(payload)) MATCHES '.*syn flood.*|.*syn attack.*|.*synflood.*|.*request_sock_tcp.*|.*sending cookies.*' THEN 'SYN Flood'
    WHEN LOWER(UTF8(payload)) MATCHES '.*ack flood.*|.*ack attack.*|.*ackflood.*' THEN 'ACK Flood'
    WHEN LOWER(UTF8(payload)) MATCHES '.*nf_conntrack.*table full.*|.*ip_conntrack.*table full.*|.*connection table full.*' THEN 'ConnTrack Table Full'
    WHEN LOWER(UTF8(payload)) MATCHES '.*half.open.*exceed.*|.*tcp.*exhaust.*' THEN 'TCP State Exhaustion'
    WHEN LOWER(UTF8(payload)) MATCHES '.*tcp.*orphaned.*' THEN 'TCP Orphaned Socket Exhaustion'
    ELSE 'OS Exhaustion Flood'
  END AS AttackType,
  COUNT(*) AS AlertCount
FROM events
WHERE
  starttime > NOW() - 3600000
  AND (
    (
      devicetype IN (SELECT id FROM device_type_definition WHERE name LIKE '%Syslog%')
      AND (
        LOWER(UTF8(payload)) MATCHES '.*possible syn flooding.*'
        OR LOWER(UTF8(payload)) MATCHES '.*tcp: request_sock_tcp.*'
        OR LOWER(UTF8(payload)) MATCHES '.*sending cookies.*'
        OR LOWER(UTF8(payload)) MATCHES '.*nf_conntrack.*table full.*'
        OR LOWER(UTF8(payload)) MATCHES '.*ip_conntrack.*table full.*'
        OR LOWER(UTF8(payload)) MATCHES '.*tcp.*orphaned.*'
        OR LOWER(UTF8(payload)) MATCHES '.*possible syn attack.*'
      )
    )
    OR
    (
      category IN (
        SELECT id FROM categories WHERE name LIKE '%Denial of Service%'
          OR name LIKE '%Flood%'
          OR name LIKE '%SYN%'
      )
      OR QIDNAME(qid) ILIKE '%syn flood%'
      OR QIDNAME(qid) ILIKE '%ack flood%'
      OR QIDNAME(qid) ILIKE '%tcp flood%'
      OR QIDNAME(qid) ILIKE '%tcp exhaustion%'
      OR QIDNAME(qid) ILIKE '%connection table%'
      OR LOWER(UTF8(payload)) MATCHES '.*(syn.flood|ack.flood|tcp.flood|tcp.exhaust|half.open|synflood|dos.*tcp|ddos.*tcp).*'
    )
  )
GROUP BY
  sourceip, destinationip, destinationport, logsourceid, category, qid
HAVING AlertCount >= 3
ORDER BY AlertCount DESC

high severity medium confidence

Data Sources

Linux syslog (kern facility) via QRadar Syslog DSM Cisco ASA DSM Palo Alto Networks DSM Juniper Networks DSM Fortinet FortiGate DSM Check Point FireWall-1 DSM Generic Firewall / IDS / IPS DSMs

Required Tables

events

False Positives

Security scanners and vulnerability assessment tools (Nessus, Qualys) performing TCP port scans against internal assets may generate half-open connection log entries resembling SYN flood indicators
Cloud load balancers performing health checks at high frequency against backend servers can trigger connection table threshold alerts on under-provisioned hosts
Legitimate traffic spikes during marketing events or product launches may cause transient conntrack table exhaustion on VMs with default nf_conntrack limits

Sumo Logic CSE

sql

// OS Exhaustion Flood — SYN/ACK floods, TCP state exhaustion via Sumo Logic
// Branch 1: Linux kernel syslog flood and conntrack messages
(_sourceCategory=linux/syslog OR _sourceCategory=os/linux OR _sourceCategory=syslog)
facility=kern
| parse regex "(?P<kernel_msg>(?:TCP: request_sock_TCP|Possible SYN flooding|sending cookies|TCP: drop open request|nf_conntrack.*table full|ip_conntrack.*table full|possible SYN attack|TCP.*orphaned).*)"
| eval AttackType = if(matches(kernel_msg, "(?i)syn.flood|syn.attack|request_sock_tcp|sending cookies"), "SYN Flood - Linux Kernel",
    if(matches(kernel_msg, "(?i)nf_conntrack.*table full|ip_conntrack.*table full"), "ConnTrack Table Full",
    if(matches(kernel_msg, "(?i)orphaned"), "TCP Orphaned Socket Exhaustion",
    "TCP State Exhaustion - Linux")))
| eval DataSource = "linux-kernel"
| fields _time, _sourceHost, AttackType, DataSource, kernel_msg

// Branch 2: Network device flood alerts (firewall, IDS, IPS)
(_sourceCategory=network/firewall OR _sourceCategory=network/ids OR _sourceCategory=network/ips OR _sourceCategory=network/cisco OR _sourceCategory=network/paloalto)
| eval msg_lower = toLowerCase(_raw)
| eval SYNFlood   = if(matches(msg_lower, "syn.flood|syn.attack|synflood|half.open.*exceed"), 1, 0)
| eval ACKFlood   = if(matches(msg_lower, "ack.flood|ack.attack|ackflood"), 1, 0)
| eval TCPExhaust = if(matches(msg_lower, "tcp.*exhaust|connection.*table.*full|tcp.*flood|dos.*tcp|ddos.*tcp"), 1, 0)
| where SYNFlood + ACKFlood + TCPExhaust > 0
| eval AttackType = if(SYNFlood=1 AND ACKFlood=0, "SYN Flood - Network Device",
    if(ACKFlood=1 AND SYNFlood=0, "ACK Flood - Network Device",
    if(SYNFlood=1 AND ACKFlood=1, "Combined SYN/ACK Flood",
    if(TCPExhaust=1, "TCP State Exhaustion - Network Device",
    "OS Exhaustion Flood"))))
| eval DataSource = "network-device"
| fields _time, _sourceHost, AttackType, DataSource, SYNFlood, ACKFlood, TCPExhaust

// Aggregate both branches together
| count as AlertCount, values(AttackType) as AttackTypes by _sourceHost, DataSource
| where AlertCount >= 3
| sort by AlertCount desc

high severity medium confidence

Data Sources

Linux syslog kern facility Cisco ASA syslog Palo Alto Networks NGFW logs Fortinet FortiGate logs Juniper SRX/JunOS logs Snort/Suricata IDS/IPS logs Check Point firewall logs

Required Tables

linux/syslog os/linux network/firewall network/ids network/ips

False Positives

Containerized applications using host networking on low-memory nodes may intermittently exhaust nf_conntrack tables during normal high-concurrency workloads, producing kernel log entries without an active attack
Internal red team or penetration testing exercises using hping3 or nmap SYN scan modes against authorized targets will match SYN flood signatures
Network monitoring systems (SNMP pollers, Zabbix agents) performing frequent TCP checks against many hosts simultaneously can generate half-open connection patterns on intermediate firewalls

Google Chronicle / SecOps

yaral

rule os_exhaustion_flood_t1499_001 {
  meta:
    author = "df00tech"
    description = "Detects OS Exhaustion Flood attacks (T1499.001) — SYN floods, ACK floods, TCP state exhaustion via Linux kernel syslog and network device alerts"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1499/001/"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499.001"
    false_positives = "Load testing, penetration testing, misconfigured conntrack limits on VMs"

  events:
    // Match Linux kernel syslog SYN flood or conntrack exhaustion indicators
    $kernel_event.metadata.event_type = "GENERIC_EVENT"
    $kernel_event.metadata.product_name = "Linux"
    $kernel_event.principal.hostname = $target_host
    (
      re.regex($kernel_event.metadata.description, `(?i)(possible syn flooding|tcp: request_sock_tcp|sending cookies|tcp: drop open request|nf_conntrack.*table full|ip_conntrack.*table full|possible syn attack|tcp.*orphaned)`)
      or re.regex($kernel_event.target.labels["syslog_message"], `(?i)(possible syn flooding|tcp: request_sock_tcp|sending cookies|nf_conntrack.*table full|ip_conntrack.*table full|orphaned sockets)`)
    )

    // Match network device flood alerts (firewall/IDS)
    $nw_event.metadata.event_type = "NETWORK_CONNECTION"
    $nw_event.target.hostname = $target_host
    (
      re.regex($nw_event.metadata.description, `(?i)(syn.flood|ack.flood|tcp.flood|syn.attack|synflood|half.open|tcp.*exhaust|connection.*table.*full|dos.*tcp|ddos.*tcp)`)
      or $nw_event.security_result.category_details = /(?i)(syn.flood|ack.flood|tcp.*flood|tcp.*exhaust)/
      or $nw_event.security_result.threat_name = /(?i)(syn.?flood|ack.?flood|tcp.?exhaust)/
    )

  match:
    $target_host over 1h

  condition:
    // Fire if we see either kernel alert or network device alert (low threshold — these are high-confidence kernel messages)
    $kernel_event or ($nw_event and #nw_event >= 3)
}

high severity medium confidence

Data Sources

Linux OS syslog (kern facility) via Chronicle ingestion Cisco ASA via Chronicle ingestion Palo Alto Networks Cortex Data Lake Fortinet FortiGate via Chronicle Juniper SRX via Chronicle Generic network IDS/IPS UDM events

Required Tables

UDM Events (GENERIC_EVENT) UDM Events (NETWORK_CONNECTION)

False Positives

Internal stress testing or chaos engineering exercises against production infrastructure may trigger Linux kernel SYN cookie messages without an external attacker
Firewalls with aggressive DoS profile thresholds configured below traffic baselines will fire on legitimate bursty traffic from CDN edge nodes or API clients
Virtual machines with auto-scaling misconfigurations receiving initial traffic bursts before conntrack limits are adjusted may briefly exhaust the connection tracking table

CrowdStrike LogScale (CQL)

cql

// OS Exhaustion Flood — T1499.001 via CrowdStrike LogScale / Falcon CQL
// Branch 1: Detect process-level flood tool execution on endpoints
// (hping3, nmap SYN flood, scapy-based tools, THC-SSL-DoS)
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(hping3?|nmap|scapy|t50|ostinato|mz|loic|hoic)/
  OR CommandLine = /(?i)(--syn|--flood|--rand-source|--send-eth|SYN.*flood|ACK.*flood|-pS.*-sS|syncookies)/
| eval AttackType = case(
    match(CommandLine, "(?i)--syn.*--flood|syn.*flood"), "SYN Flood Tool Execution",
    match(CommandLine, "(?i)--ack.*flood|ack.*flood"), "ACK Flood Tool Execution",
    match(ImageFileName, "(?i)hping"), "hping TCP Flood Tool",
    match(ImageFileName, "(?i)loic|hoic"), "DoS Tool Execution",
    "TCP Flood Tool Execution"
  )
| eval DataSource = "endpoint-process"
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, AttackType, DataSource], function=count(as=EventCount))
| where EventCount >= 1

// Branch 2: CrowdStrike Falcon detection events for DoS/flood alerts
#event_simpleName = DetectionSummaryEvent
| Technique = "OS Exhaustion Flood"
  OR TacticAndTechnique = /(?i)T1499/
  OR DetectDescription = /(?i)(syn.flood|ack.flood|tcp.flood|tcp.*exhaust|dos.*tcp)/
| eval AttackType = "CrowdStrike Falcon DoS Detection"
| eval DataSource = "falcon-detection"
| groupBy([ComputerName, UserName, DetectDescription, Severity, AttackType, DataSource], function=count(as=EventCount))

// Branch 3: Network traffic volume spike indicating flood from endpoint
// High outbound TCP connection rate within short window
#event_simpleName = NetworkConnectIP4
| Protocol = "TCP"
| groupBy([ComputerName, RemoteAddressIP4, RemotePort], function=[count(as=ConnectionCount), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| eval DurationMs = LastSeen - FirstSeen
| where ConnectionCount >= 500 AND DurationMs <= 60000
| eval AttackType = "High-Rate Outbound TCP Connection Flood"
| eval DataSource = "endpoint-network"
| where ConnectionCount >= 500
| sort(ConnectionCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Agent (ProcessRollup2) CrowdStrike Falcon Network Telemetry (NetworkConnectIP4) CrowdStrike Falcon Detection Events (DetectionSummaryEvent)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Authorized penetration testers or red team operators executing hping3 or nmap SYN flood commands against agreed targets will match process execution rules
Network performance testing tools used by infrastructure engineers to benchmark TCP throughput will trigger the high-rate outbound TCP connection rule
Continuous integration pipelines that spin up many parallel test containers and establish rapid TCP connections to test services may exceed the 500-connection threshold within 60 seconds

Last updated: 2026-04-20 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1499.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.002Service Exhaustion Flood T1499.003Application Exhaustion Flood T1499.004Application or System Exploitation

OS Exhaustion Flood

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections