T1499.001 CrowdStrike LogScale · LogScale

Detect OS Exhaustion Flood in CrowdStrike LogScale

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). OS exhaustion floods do not need to deplete physical hardware resources—they exhaust OS-imposed limits on concurrent connections and state tracking. SYN floods send excessive TCP SYN packets without completing the three-way handshake, filling the OS half-open connection backlog queue and preventing new legitimate TCP connections from being established. ACK floods send packets referencing non-existent connections, forcing the OS to perform a full TCP state table search for each packet, causing CPU and memory exhaustion that degrades or stops service. Both techniques can render any TCP-based service unavailable on the targeted endpoint.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.001 OS Exhaustion Flood
Canonical reference
https://attack.mitre.org/techniques/T1499/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// OS Exhaustion Flood — T1499.001 via CrowdStrike LogScale / Falcon CQL
// Branch 1: Detect process-level flood tool execution on endpoints
// (hping3, nmap SYN flood, scapy-based tools, THC-SSL-DoS)
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(hping3?|nmap|scapy|t50|ostinato|mz|loic|hoic)/
  OR CommandLine = /(?i)(--syn|--flood|--rand-source|--send-eth|SYN.*flood|ACK.*flood|-pS.*-sS|syncookies)/
| eval AttackType = case(
    match(CommandLine, "(?i)--syn.*--flood|syn.*flood"), "SYN Flood Tool Execution",
    match(CommandLine, "(?i)--ack.*flood|ack.*flood"), "ACK Flood Tool Execution",
    match(ImageFileName, "(?i)hping"), "hping TCP Flood Tool",
    match(ImageFileName, "(?i)loic|hoic"), "DoS Tool Execution",
    "TCP Flood Tool Execution"
  )
| eval DataSource = "endpoint-process"
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, AttackType, DataSource], function=count(as=EventCount))
| where EventCount >= 1

// Branch 2: CrowdStrike Falcon detection events for DoS/flood alerts
#event_simpleName = DetectionSummaryEvent
| Technique = "OS Exhaustion Flood"
  OR TacticAndTechnique = /(?i)T1499/
  OR DetectDescription = /(?i)(syn.flood|ack.flood|tcp.flood|tcp.*exhaust|dos.*tcp)/
| eval AttackType = "CrowdStrike Falcon DoS Detection"
| eval DataSource = "falcon-detection"
| groupBy([ComputerName, UserName, DetectDescription, Severity, AttackType, DataSource], function=count(as=EventCount))

// Branch 3: Network traffic volume spike indicating flood from endpoint
// High outbound TCP connection rate within short window
#event_simpleName = NetworkConnectIP4
| Protocol = "TCP"
| groupBy([ComputerName, RemoteAddressIP4, RemotePort], function=[count(as=ConnectionCount), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| eval DurationMs = LastSeen - FirstSeen
| where ConnectionCount >= 500 AND DurationMs <= 60000
| eval AttackType = "High-Rate Outbound TCP Connection Flood"
| eval DataSource = "endpoint-network"
| where ConnectionCount >= 500
| sort(ConnectionCount, order=desc)
high severity medium confidence

Detects OS Exhaustion Flood (T1499.001) from CrowdStrike Falcon telemetry across three detection branches: (1) process execution of known SYN/ACK flood tools (hping3, nmap flood modes, LOIC/HOIC) with flood-specific CLI flags, (2) Falcon detection events tagged to the T1499 technique, and (3) anomalous high-rate outbound TCP connection volume from endpoints suggesting participation in or initiation of a flood attack.

Data Sources

CrowdStrike Falcon Endpoint Agent (ProcessRollup2)CrowdStrike Falcon Network Telemetry (NetworkConnectIP4)CrowdStrike Falcon Detection Events (DetectionSummaryEvent)

Required Tables

ProcessRollup2NetworkConnectIP4DetectionSummaryEvent

False Positives & Tuning

  • Authorized penetration testers or red team operators executing hping3 or nmap SYN flood commands against agreed targets will match process execution rules
  • Network performance testing tools used by infrastructure engineers to benchmark TCP throughput will trigger the high-rate outbound TCP connection rule
  • Continuous integration pipelines that spin up many parallel test containers and establish rapid TCP connections to test services may exceed the 500-connection threshold within 60 seconds
Download portable Sigma rule (.yml)

Other platforms for T1499.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1hping3 SYN Flood Against Local Test Port

    Expected signal: Linux kernel ring buffer (dmesg): 'TCP: Possible SYN flooding on port 9999. Sending cookies.' if tcp_syncookies=1. Syslog facility=kern messages with same content routed to /var/log/kern.log and forwarded to SIEM. 'ss -tan state syn-recv' shows multiple SYN_RECV entries for the test port. /proc/net/netstat field TcpExtTCPReqQFullDoCookies increments for each SYN cookie issued.

  2. Test 2Python Scapy SYN Flood Simulation

    Expected signal: Linux kernel: 'TCP: Possible SYN flooding on port 80. Sending cookies.' in dmesg and kern.log. /proc/net/netstat TcpExtTCPReqQFullDoCookies increments. If Sysmon for Linux is deployed: network events for the scapy process with multiple outbound connections. Packet capture shows SYN packets with randomized source IPs and no corresponding ACK completions.

  3. Test 3PowerShell TCP Half-Open Connection Flood (Windows)

    Expected signal: Windows System Event Log Event ID 4227 ('TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts') if connection limit is hit. Sysmon Event ID 3 (Network Connection) showing many connections from powershell.exe to 127.0.0.1:445. Windows Performance counter TCPv4\Connection Failures increases. netstat output shows many ESTABLISHED or SYN_SENT connections from powershell.exe.

  4. Test 4nf_conntrack Table Exhaustion Simulation (Linux)

    Expected signal: Linux kernel ring buffer (dmesg): 'nf_conntrack: table full, dropping packet' — the exact message generated during real TCP flood attacks that exhaust the connection tracking table. This message is forwarded to syslog as facility=kern and typically appears in /var/log/kern.log. SIEM receives it via syslog forwarding. /proc/sys/net/netfilter/nf_conntrack_count shows the table is full.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1499.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1499.004Application or System Exploitation

Related Techniques

T1499Endpoint Denial of ServiceT1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1498.001Direct Network FloodT1498.002Reflection AmplificationT1489Service StopT1562.004Disable or Modify System FirewallT1046Network Service DiscoveryT1583.005Botnet

Same Tactic: Impact

Popular Detections