T1499.003

Application Exhaustion Flood

Adversaries may target resource-intensive features of web applications to cause a denial of service (DoS), denying availability to those applications. Unlike volumetric network-layer floods, application exhaustion attacks focus on Layer 7 features that consume disproportionate server resources per request — such as search functions, complex database queries, authentication endpoints, report generation, GraphQL resolvers, XML/SOAP processing, or file conversion operations. By repeatedly invoking these expensive operations, adversaries can exhaust CPU cycles, memory, database connection pools, or thread pools with relatively low request volumes, making the attack harder to distinguish from legitimate traffic spikes and more difficult to block at the network layer without application-aware controls.

Microsoft Sentinel / Defender

kusto

let TimeWindow = 5m;
let SingleIPThreshold = 300;
let AvgResponseThreshold = 5000;
let ResourceIntensiveEndpoints = dynamic([
    "/search", "/query", "/find", "/api/search", "/api/query",
    "/report", "/export", "/download", "/generate", "/convert",
    "/login", "/authenticate", "/auth", "/oauth", "/signin",
    "/graphql", "/api/graphql", "/api/v",
    "/wp-login.php", "/xmlrpc.php", "/wp-admin",
    "/rest/api", "/odata"
]);
W3CIISLog
| where TimeGenerated > ago(1h)
| where csUriStem has_any (ResourceIntensiveEndpoints) or TimeTaken > 5000
| summarize
    RequestCount = count(),
    AvgTimeTaken = avg(TimeTaken),
    MaxTimeTaken = max(TimeTaken),
    P95TimeTaken = percentile(TimeTaken, 95),
    UniqueEndpoints = dcount(csUriStem),
    StatusCodes = make_set(scStatus),
    Endpoints = make_set(csUriStem, 10),
    ServerErrorCount = countif(scStatus >= 500),
    RateLimitedCount = countif(scStatus == 429)
    by bin(TimeGenerated, TimeWindow), cIP, csHost
| where RequestCount > SingleIPThreshold
    or (AvgTimeTaken > AvgResponseThreshold and RequestCount > 50)
    or RateLimitedCount > 10
| extend IsHighRateFlood = RequestCount > SingleIPThreshold
| extend IsSlowExhaustion = AvgTimeTaken > AvgResponseThreshold
| extend ErrorRate = round(1.0 * ServerErrorCount / RequestCount, 2)
| extend ThreatScore = case(
    RequestCount > 1000 and AvgTimeTaken > 10000, 3,
    RequestCount > 500 or AvgTimeTaken > 8000, 2,
    1)
| project TimeGenerated, SourceIP = cIP, Host = csHost, RequestCount,
    AvgResponseMs = AvgTimeTaken, MaxResponseMs = MaxTimeTaken, P95ResponseMs = P95TimeTaken,
    UniqueEndpoints, StatusCodes, Endpoints, ServerErrorCount, RateLimitedCount,
    ErrorRate, IsHighRateFlood, IsSlowExhaustion, ThreatScore
| sort by ThreatScore desc, RequestCount desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Application Log: Application Log Content IIS Web Server Logs — W3CIISLog (Microsoft Sentinel)

Required Tables

W3CIISLog

False Positives

Legitimate high-traffic events such as product launches, marketing campaigns, or viral content causing genuine user spikes to search or landing pages
Authorized security scanning tools (Qualys, Tenable Nessus, OWASP ZAP) running web application vulnerability assessments that hammer form and API endpoints
Load testing tools (Apache JMeter, Gatling, Locust, k6) executing authorized performance tests against production or staging environments
Legitimate API clients or integration partners with high-frequency polling or batch processing workloads making hundreds of requests per minute
Search engine crawlers (Googlebot, Bingbot, Slurp) aggressively indexing resource-intensive dynamic pages or paginated search results

Splunk

spl

index=web (sourcetype="ms:iis:auto" OR sourcetype="iis" OR sourcetype="access_combined" OR sourcetype="apache:access")
| eval uri=coalesce(cs_uri_stem, uri_path, uri, request)
| eval time_taken_ms=coalesce(time_taken, timetaken, response_time, 0)
| eval status=coalesce(sc_status, status, 200)
| eval src_ip=coalesce(c_ip, src_ip, clientip, remote_host)
| where match(uri, "(?i)/(search|query|find|report|export|download|generate|convert|login|authenticate|auth|oauth|signin|graphql|wp-login\.php|xmlrpc\.php|wp-admin|rest/api|odata|api/)")
    OR time_taken_ms > 5000
| bin _time span=5m
| eval is_server_error=if(status>=500, 1, 0)
| eval is_rate_limited=if(status=429, 1, 0)
| stats
    count as RequestCount,
    avg(time_taken_ms) as AvgResponseMs,
    max(time_taken_ms) as MaxResponseMs,
    dc(uri) as UniqueEndpoints,
    values(uri) as Endpoints,
    values(status) as StatusCodes,
    sum(is_server_error) as ServerErrorCount,
    sum(is_rate_limited) as RateLimitedCount
    by _time, src_ip, host
| eval ErrorRate=round(ServerErrorCount / RequestCount, 2)
| eval ThreatScore=case(
    RequestCount > 1000 AND AvgResponseMs > 10000, 3,
    RequestCount > 500 OR AvgResponseMs > 8000, 2,
    1)
| where RequestCount > 300 OR (AvgResponseMs > 5000 AND RequestCount > 50) OR RateLimitedCount > 10
| sort - ThreatScore, - RequestCount
| table _time, src_ip, host, RequestCount, AvgResponseMs, MaxResponseMs, UniqueEndpoints, Endpoints, StatusCodes, ServerErrorCount, RateLimitedCount, ErrorRate, ThreatScore

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Application Log: Application Log Content Web Server Access Logs (IIS, Apache, Nginx)

Required Sourcetypes

ms:iis:auto iis access_combined apache:access

False Positives

Legitimate high-traffic events such as product launches, marketing campaigns, or viral content causing genuine user spikes
Authorized security scanning tools (Qualys, Tenable, OWASP ZAP) running application vulnerability assessments
Load testing tools (JMeter, Gatling, Locust, k6) executing authorized performance tests in production or staging environments
Legitimate API clients or integration partners with high-frequency polling or batch processing workloads
Search engine crawlers (Googlebot, Bingbot, Slurp) aggressively indexing resource-intensive dynamic pages

Elastic Security (EQL)

eql

sequence by source.ip, url.domain with maxspan=5m
  [network where event.dataset in ("iis.access", "apache.access", "nginx.access") and
   (url.path : ("*/search*", "*/query*", "*/find*", "*/report*", "*/export*", "*/download*",
                "*/generate*", "*/convert*", "*/login*", "*/authenticate*", "*/auth*",
                "*/oauth*", "*/signin*", "*/graphql*", "*/wp-login.php*", "*/xmlrpc.php*",
                "*/wp-admin*", "*/rest/api*", "*/odata*", "*/api/*")
    or http.response.body.bytes > 0)
  ] with runs=50

// Alternative aggregation-style query using stats:
// from logs-*
// | where event.dataset in ("iis.access", "apache.access", "nginx.access")
// | where @timestamp > now() - 1h
// | where url.path LIKE "%search%" or url.path LIKE "%graphql%" or url.path LIKE "%login%" or event.duration > 5000000000
// | stats
//     request_count = count(),
//     avg_duration_ms = avg(event.duration / 1000000),
//     max_duration_ms = max(event.duration / 1000000),
//     unique_endpoints = count_distinct(url.path),
//     server_errors = sum(case(http.response.status_code >= 500, 1, 0)),
//     rate_limited = sum(case(http.response.status_code == 429, 1, 0))
//   by source.ip, url.domain, bucket(@timestamp, "5 minutes")
// | where request_count > 300 or (avg_duration_ms > 5000 and request_count > 50) or rate_limited > 10

from logs-*
| where event.dataset in ("iis.access", "apache.access", "nginx.access", "haproxy.log")
| where @timestamp > now() - 1h
| where (url.path like "*search*" or url.path like "*query*" or url.path like "*find*"
    or url.path like "*report*" or url.path like "*export*" or url.path like "*download*"
    or url.path like "*generate*" or url.path like "*convert*" or url.path like "*login*"
    or url.path like "*authenticate*" or url.path like "*graphql*" or url.path like "*wp-login.php*"
    or url.path like "*xmlrpc.php*" or url.path like "*wp-admin*" or url.path like "*rest/api*"
    or url.path like "*odata*" or url.path like "*/api/*")
    or (event.duration / 1000000) > 5000
| stats
    request_count = count(),
    avg_duration_ms = avg(event.duration / 1000000),
    max_duration_ms = max(event.duration / 1000000),
    unique_endpoints = count_distinct(url.path),
    server_errors = count_if(http.response.status_code >= 500, 1),
    rate_limited = count_if(http.response.status_code == 429, 1)
  by source.ip, url.domain, bucket := date_trunc("5 minutes", @timestamp)
| where request_count > 300 or (avg_duration_ms > 5000 and request_count > 50) or rate_limited > 10
| eval threat_score = case(
    request_count > 1000 and avg_duration_ms > 10000, 3,
    request_count > 500 or avg_duration_ms > 8000, 2,
    1)
| eval error_rate = round(server_errors / request_count, 2)
| sort threat_score desc, request_count desc

high severity medium confidence

Data Sources

IIS Access Logs (Filebeat iis module or logs-iis.access-*) Apache Access Logs (Filebeat apache module or logs-apache.access-*) Nginx Access Logs (Filebeat nginx module or logs-nginx.access-*) HAProxy Logs (Filebeat haproxy module) Elastic APM (transaction duration metrics)

Required Tables

logs-iis.access-* logs-apache.access-* logs-nginx.access-* logs-*

False Positives

Automated integration test suites or load testing frameworks (e.g., JMeter, k6, Locust) running against non-production environments may generate high request volumes to monitored endpoints
Legitimate enterprise users running scheduled report generation or bulk data exports — particularly common during business hours for BI tools querying /report or /export endpoints
Search engine crawlers (Googlebot, Bingbot) and security scanners that probe /search or /api endpoints at high frequency; these usually have well-known User-Agent strings that can be used to exclude them
Internal monitoring agents performing health checks against /api/ endpoints at high frequency — typically identifiable by static source IPs or internal RFC1918 address ranges

IBM QRadar (AQL)

sql

SELECT
    sourceip AS SourceIP,
    "URL Host" AS Host,
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm') AS TimeWindow,
    COUNT(*) AS RequestCount,
    AVG(LONG("Response Time")) AS AvgResponseMs,
    MAX(LONG("Response Time")) AS MaxResponseMs,
    COUNT(DISTINCT "URL Path") AS UniqueEndpoints,
    SUM(CASE WHEN LONG("HTTP Status Code") >= 500 THEN 1 ELSE 0 END) AS ServerErrorCount,
    SUM(CASE WHEN LONG("HTTP Status Code") = 429 THEN 1 ELSE 0 END) AS RateLimitedCount,
    ROUND(SUM(CASE WHEN LONG("HTTP Status Code") >= 500 THEN 1 ELSE 0 END) * 1.0 / COUNT(*), 2) AS ErrorRate,
    CASE
        WHEN COUNT(*) > 1000 AND AVG(LONG("Response Time")) > 10000 THEN 3
        WHEN COUNT(*) > 500 OR AVG(LONG("Response Time")) > 8000 THEN 2
        ELSE 1
    END AS ThreatScore
FROM events
WHERE
    LOGSOURCETYPEID IN (
        10,    -- IBM Security Web Gateway
        18,    -- Microsoft IIS
        260,   -- Apache HTTP Server
        261,   -- nginx
        95     -- F5 BIG-IP LTM
    )
    AND devicetime > (CURRENT_TIMESTAMP - 3600000)
    AND (
        LOWER("URL Path") LIKE '%/search%'
        OR LOWER("URL Path") LIKE '%/query%'
        OR LOWER("URL Path") LIKE '%/find%'
        OR LOWER("URL Path") LIKE '%/report%'
        OR LOWER("URL Path") LIKE '%/export%'
        OR LOWER("URL Path") LIKE '%/download%'
        OR LOWER("URL Path") LIKE '%/generate%'
        OR LOWER("URL Path") LIKE '%/convert%'
        OR LOWER("URL Path") LIKE '%/login%'
        OR LOWER("URL Path") LIKE '%/authenticate%'
        OR LOWER("URL Path") LIKE '%/auth%'
        OR LOWER("URL Path") LIKE '%/oauth%'
        OR LOWER("URL Path") LIKE '%/signin%'
        OR LOWER("URL Path") LIKE '%/graphql%'
        OR LOWER("URL Path") LIKE '%/wp-login.php%'
        OR LOWER("URL Path") LIKE '%/xmlrpc.php%'
        OR LOWER("URL Path") LIKE '%/wp-admin%'
        OR LOWER("URL Path") LIKE '%/rest/api%'
        OR LOWER("URL Path") LIKE '%/odata%'
        OR LOWER("URL Path") LIKE '%/api/%'
        OR LONG("Response Time") > 5000
    )
GROUP BY
    sourceip,
    "URL Host",
    TRUNC(devicetime, 300000)
HAVING
    COUNT(*) > 300
    OR (AVG(LONG("Response Time")) > 5000 AND COUNT(*) > 50)
    OR SUM(CASE WHEN LONG("HTTP Status Code") = 429 THEN 1 ELSE 0 END) > 10
ORDER BY ThreatScore DESC, RequestCount DESC
LAST 60 MINUTES

high severity medium confidence

Data Sources

IBM Security Web Gateway (LOGSOURCETYPEID 10) Microsoft IIS Web Server logs (LOGSOURCETYPEID 18) Apache HTTP Server logs (LOGSOURCETYPEID 260) Nginx access logs (LOGSOURCETYPEID 261) F5 BIG-IP LTM logs (LOGSOURCETYPEID 95) WAF/CDN access logs forwarded to QRadar

Required Tables

events

False Positives

Synthetic monitoring tools (Pingdom, Datadog Synthetics, New Relic) that perform continuous health checks against /api/ or /auth endpoints from a fixed set of source IPs — exclude known monitoring IP ranges
Batch ETL jobs that bulk-export data through /export or /download endpoints during scheduled maintenance windows; review timing against maintenance schedules
Penetration testing or red team exercises targeting the web tier — coordinate with security teams on authorized test windows and expected source IPs
API gateway retry storms caused by misconfigured downstream services sending repeated requests to /rest/api or /graphql when upstream services are degraded

Sumo Logic CSE

sql

_sourceCategory=web/access OR _sourceCategory=iis OR _sourceCategory=apache OR _sourceCategory=nginx
| parse regex field=_raw "(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| parse regex field=_raw "\"(?:GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS) (?P<uri_path>[^\s]+)"
| parse regex field=_raw "\" (?P<status_code>\d{3}) "
| parse regex field=_raw "(?P<response_time_ms>\d+)$" nodrop
| where _sourceCategory matches "*web*" or _sourceCategory matches "*iis*" or _sourceCategory matches "*apache*" or _sourceCategory matches "*nginx*"
| where (
    uri_path matches "*search*" or
    uri_path matches "*query*" or
    uri_path matches "*find*" or
    uri_path matches "*report*" or
    uri_path matches "*export*" or
    uri_path matches "*download*" or
    uri_path matches "*generate*" or
    uri_path matches "*convert*" or
    uri_path matches "*login*" or
    uri_path matches "*authenticate*" or
    uri_path matches "*/auth*" or
    uri_path matches "*oauth*" or
    uri_path matches "*signin*" or
    uri_path matches "*graphql*" or
    uri_path matches "*wp-login.php*" or
    uri_path matches "*xmlrpc.php*" or
    uri_path matches "*wp-admin*" or
    uri_path matches "*rest/api*" or
    uri_path matches "*odata*" or
    uri_path matches "*/api/*"
  ) or num(response_time_ms) > 5000
| timeslice 5m
| eval status_int = num(status_code)
| eval is_server_error = if(status_int >= 500, 1, 0)
| eval is_rate_limited = if(status_int == 429, 1, 0)
| eval response_ms = num(response_time_ms)
| stats
    count as RequestCount,
    avg(response_ms) as AvgResponseMs,
    max(response_ms) as MaxResponseMs,
    dcount(uri_path) as UniqueEndpoints,
    sum(is_server_error) as ServerErrorCount,
    sum(is_rate_limited) as RateLimitedCount
  by _timeslice, src_ip, _sourceHost
| where RequestCount > 300
    or (AvgResponseMs > 5000 and RequestCount > 50)
    or RateLimitedCount > 10
| eval ErrorRate = round(ServerErrorCount / RequestCount, 2)
| eval ThreatScore = if(RequestCount > 1000 and AvgResponseMs > 10000, 3,
    if(RequestCount > 500 or AvgResponseMs > 8000, 2, 1))
| eval IsHighRateFlood = if(RequestCount > 300, "true", "false")
| eval IsSlowExhaustion = if(AvgResponseMs > 5000, "true", "false")
| sort by ThreatScore, RequestCount
| fields _timeslice, src_ip, _sourceHost, RequestCount, AvgResponseMs, MaxResponseMs, UniqueEndpoints, ServerErrorCount, RateLimitedCount, ErrorRate, IsHighRateFlood, IsSlowExhaustion, ThreatScore

high severity medium confidence

Data Sources

IIS W3C access logs (Sumo Logic IIS collector or _sourceCategory=iis) Apache Combined Log Format (_sourceCategory=apache or _sourceCategory=web/apache) Nginx access logs (_sourceCategory=nginx or _sourceCategory=web/nginx) Sumo Logic Cloud SIEM normalized web log schema F5 / load balancer access logs forwarded to Sumo Logic

Required Tables

Web access log index (IIS, Apache, Nginx) Sumo Logic Cloud SIEM signal index

False Positives

Large-scale legitimate user events such as product launches, marketing campaigns, or viral content that generate authentic traffic spikes against /search or /api endpoints from diverse IPs — look for corresponding geographic and ASN diversity before escalating
Search engine indexing bots (Googlebot, Bingbot, Applebot) that aggressively crawl /search or sitemap-linked endpoints; filter by User-Agent string where available in log fields
Legitimate bulk data export jobs initiated by enterprise users or scheduled ETL pipelines hitting /export or /download endpoints — cross-reference with scheduled job windows and user identity
Internal DevOps pipelines running integration or performance tests against staging environments where the same log sources are used across environments

Google Chronicle / SecOps

yaral

rule t1499_003_application_exhaustion_flood {
  meta:
    author = "df00tech"
    description = "Detects T1499.003 Application Exhaustion Flood — identifies single source IPs sending high-volume requests to resource-intensive web endpoints or triggering slow server responses indicative of CPU, thread pool, or database connection exhaustion."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499.003"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.metadata.product_name != ""
    (
      re.regex($e.target.url, `(?i)/(search|query|find|report|export|download|generate|convert|login|authenticate|auth|oauth|signin|graphql|wp-login\.php|xmlrpc\.php|wp-admin|rest/api|odata|api/)`)
      or $e.network.http.response_code = 429
    )
    $e.principal.ip = $src_ip
    $e.target.hostname = $target_host

  match:
    $src_ip, $target_host over 5m

  outcome:
    $request_count = count($e.metadata.id)
    $rate_limited_count = sum(
      if($e.network.http.response_code = 429, 1, 0)
    )
    $server_error_count = sum(
      if($e.network.http.response_code >= 500, 1, 0)
    )
    $unique_endpoints = count_distinct($e.target.url)
    $max_response_bytes = max($e.network.http.response_body_bytes)
    $error_rate = math.round(
      ($server_error_count / $request_count) * 100
    ) / 100
    $threat_score = if(
      $request_count > 1000 and $rate_limited_count > 20, 3,
      if($request_count > 500 or $rate_limited_count > 10, 2, 1)
    )
    $is_high_rate_flood = if($request_count > 300, "true", "false")
    $is_rate_limit_triggered = if($rate_limited_count > 10, "true", "false")

  condition:
    #e > 300
    or ($rate_limited_count > 10)
    or ($server_error_count > 50 and #e > 50)
}

high severity medium confidence

Data Sources

Chronicle UDM NETWORK_HTTP events (ingested from web proxy, WAF, or load balancer logs) Google Cloud Load Balancer logs parsed to UDM Palo Alto Networks / Zscaler proxy logs mapped to UDM IIS / Apache / Nginx logs parsed via Chronicle ingestion parsers

Required Tables

UDM events (NETWORK_HTTP type)

False Positives

High-traffic legitimate services (news aggregators, API consumers, CDN origin pulls) that make large volumes of structured requests to /api/ or /search endpoints from a single egress IP — validate against known partner IP allowlists
Internal automated systems performing health monitoring, synthetic transactions, or chaos engineering tests that target auth or search endpoints at defined rates
Mobile application backends aggregating user requests behind a NAT gateway — all traffic appears to originate from one or a small set of IPs, making per-IP volume thresholds less reliable; supplement with per-session or per-user-agent analysis

CrowdStrike LogScale (CQL)

cql

// T1499.003 — Application Exhaustion Flood Detection
// Requires HTTP activity telemetry from Falcon sensor or ingested web proxy/WAF logs

// Step 1: Filter to relevant HTTP web events with resource-intensive endpoints
#event_simpleName IN ("NetworkConnectIP4", "HttpRequest", "WebRequest")
// Filter for resource-intensive paths or slow responses
| regex(field="RequestUrl", regex="(?i)/(search|query|find|report|export|download|generate|convert|login|authenticate|auth|oauth|signin|graphql|wp-login\.php|xmlrpc\.php|wp-admin|rest/api|odata|api/)", strict=false)

// Step 2: Extract source IP and host from available fields
| eval SourceIP = coalesce(RemoteAddressIP4, SrcIP, SourceIP)
| eval TargetHost = coalesce(HttpHost, DestinationHostname, DomainName)
| eval UriPath = coalesce(RequestUrl, UrlPath, Uri)
| eval StatusCode = coalesce(HttpStatusCode, StatusCode, 0)
| eval ResponseTimeMs = coalesce(ResponseTimeMs, TimeTakenMs, 0)

// Step 3: Bucket into 5-minute windows and aggregate per source IP
| bucket(field="@timestamp", function="floor", arg=300000) as TimeWindow
| groupBy([TimeWindow, SourceIP, TargetHost], function=[
    count() as RequestCount,
    avg(ResponseTimeMs) as AvgResponseMs,
    max(ResponseTimeMs) as MaxResponseMs,
    count(UriPath, distinct=true) as UniqueEndpoints,
    sum(if(StatusCode >= 500, 1, 0)) as ServerErrorCount,
    sum(if(StatusCode = 429, 1, 0)) as RateLimitedCount
  ])

// Step 4: Apply detection thresholds matching KQL/SPL logic
| where RequestCount > 300
    or (AvgResponseMs > 5000 and RequestCount > 50)
    or RateLimitedCount > 10

// Step 5: Compute derived fields
| eval ErrorRate = round(ServerErrorCount / RequestCount, 2)
| eval ThreatScore = case(
    RequestCount > 1000 and AvgResponseMs > 10000, "3-Critical",
    RequestCount > 500 or AvgResponseMs > 8000, "2-High",
    "1-Medium")
| eval IsHighRateFlood = if(RequestCount > 300, "true", "false")
| eval IsSlowExhaustion = if(AvgResponseMs > 5000, "true", "false")

// Step 6: Sort and output
| sort(ThreatScore, order=desc)
| sort(RequestCount, order=desc)
| table([TimeWindow, SourceIP, TargetHost, RequestCount, AvgResponseMs, MaxResponseMs, UniqueEndpoints, ServerErrorCount, RateLimitedCount, ErrorRate, IsHighRateFlood, IsSlowExhaustion, ThreatScore])

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor HTTP telemetry (NetworkConnectIP4, HttpRequest events) Ingested WAF logs (Cloudflare, Imperva, AWS WAF) via Falcon LogScale pipeline Web proxy logs forwarded to LogScale repository Falcon Identity Protection HTTP session events

Required Tables

Main Falcon event repository (NetworkConnectIP4) Custom repository for ingested web/proxy logs (HttpRequest, WebRequest)

False Positives

CrowdStrike-managed endpoints running automated software update checks or telemetry agents that periodically poll /api/ endpoints at high frequency — these typically have consistent User-Agent strings and uniform request intervals
Legitimate high-volume API consumers (partner integrations, CI/CD pipelines, data sync jobs) operating from a small number of corporate egress IPs and targeting /export or /graphql endpoints on a schedule
Security scanning tools (vulnerability scanners, web application fuzzers) operated by the internal security team that probe all application endpoints including authenticated routes — validate against authorized scan schedules and scanning tool hostnames
CDN origin-pull behavior where the CDN makes large batches of requests to the origin for cache warming, appearing as a single high-volume source IP hitting /download or /generate endpoints

Last updated: 2026-04-19 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1499.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion Flood T1499.002Service Exhaustion Flood T1499.004Application or System Exploitation

Application Exhaustion Flood

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections