T1499.004

Application or System Exploitation

Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes.

Microsoft Sentinel / Defender

kusto

let ExploitExceptionCodes = dynamic([
    "0xc0000005",
    "0xc000001d",
    "0xc00000fd",
    "0xc0000409",
    "0xc0000374",
    "0x80000003",
    "0xc0000096"
]);
let CriticalServices = dynamic(["w3wp", "inetinfo", "httpd", "apache", "sqlservr", "named", "mysqld", "postgres", "nginx", "vsftpd", "sshd", "lsass", "spoolsv", "dns", "tomcat"]);
let LookbackWindow = 24h;
let CrashWindowBin = 30m;
let MinCrashThreshold = 2;
Event
| where TimeGenerated > ago(LookbackWindow)
| where EventLog == "Application"
| where EventID == 1000
| extend FaultingApp = extract(@"Faulting application name: ([^,\r\n]+)", 1, RenderedDescription)
| extend FaultingModule = extract(@"Faulting module name: ([^,\r\n]+)", 1, RenderedDescription)
| extend ExceptionCode = extract(@"Exception code: (0x[0-9a-fA-F]+)", 1, RenderedDescription)
| extend FaultingAppPath = extract(@"Faulting application path: ([^\r\n]+)", 1, RenderedDescription)
| extend ExceptionIsExploitRelevant = ExceptionCode in (ExploitExceptionCodes)
| extend AppIsCritical = FaultingApp has_any (CriticalServices)
| where ExceptionIsExploitRelevant or AppIsCritical
| summarize
    CrashCount = count(),
    ExceptionCodes = make_set(ExceptionCode),
    FaultingModules = make_set(FaultingModule),
    FaultingPaths = make_set(FaultingAppPath),
    FirstCrash = min(TimeGenerated),
    LastCrash = max(TimeGenerated),
    IsCritical = max(toint(AppIsCritical)),
    IsExploitException = max(toint(ExceptionIsExploitRelevant))
    by Computer, FaultingApp, bin(TimeGenerated, CrashWindowBin)
| where CrashCount >= MinCrashThreshold
| extend CrashIntervalMinutes = datetime_diff('minute', LastCrash, FirstCrash)
| extend RapidReExploitation = CrashCount >= 3 and CrashIntervalMinutes <= 30
| extend AlertSeverity = case(
    RapidReExploitation == true and IsExploitException == 1, "Critical",
    CrashCount >= 5 or (IsCritical == 1 and IsExploitException == 1), "High",
    "Medium"
)
| project FirstCrash, LastCrash, Computer, FaultingApp, CrashCount, CrashIntervalMinutes, ExceptionCodes, FaultingModules, FaultingPaths, RapidReExploitation, IsCritical, IsExploitException, AlertSeverity
| sort by CrashCount desc

high severity medium confidence

Data Sources

Application: Application Crash Windows Event Log: Application (Event ID 1000, 1001) Windows Event Log: System (Event ID 7034, 7031)

Required Tables

Event

False Positives

Buggy in-house or third-party applications with recurring software defects that crash with access violation exceptions unrelated to exploitation
Memory-constrained or heavily loaded servers where OOM conditions cause access violation exceptions in critical processes
Legitimate load testing or fuzzing pipelines on non-production systems that intentionally generate crash events as part of resilience testing
Windows software updates or in-place upgrades that transiently crash services, generating multiple Event ID 1000 entries during the update window
Antivirus or EDR hooking conflicts that cause access violations in monitored processes during signature updates or engine upgrades

Splunk

spl

index=wineventlog (sourcetype="WinEventLog:Application" EventCode=1000) OR (sourcetype="WinEventLog:System" (EventCode=7034 OR EventCode=7031))
| eval EventType=case(
    sourcetype="WinEventLog:Application" AND EventCode=1000, "AppCrash",
    EventCode=7034, "ServiceCrashUnexpected",
    EventCode=7031, "ServiceCrashWithRecovery",
    true(), "Unknown"
)
| eval ExceptionCode=if(EventType="AppCrash",
    trim(replace(mvindex(split(Message, "Exception code: "), 1), "[\r\n].*", "")),
    null())
| eval FaultingApp=if(EventType="AppCrash",
    trim(replace(mvindex(split(Message, "Faulting application name: "), 1), ",.*", "")),
    null())
| eval FaultingModule=if(EventType="AppCrash",
    trim(replace(mvindex(split(Message, "Faulting module name: "), 1), ",.*", "")),
    null())
| eval ServiceName=if(EventType!="AppCrash",
    trim(replace(mvindex(split(Message, "The "), 1), " service (terminated|failed).*", "")),
    null())
| eval IsExploitException=if(match(ExceptionCode, "0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096"), 1, 0)
| eval IsCriticalService=if(match(lower(FaultingApp), "w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|lsass|spoolsv|dns|tomcat"), 1, 0)
| where IsExploitException=1 OR IsCriticalService=1 OR EventType!="AppCrash"
| bin _time span=30m
| stats
    count as CrashCount,
    values(ExceptionCode) as ExceptionCodes,
    values(FaultingModule) as FaultingModules,
    values(EventType) as EventTypes,
    max(IsExploitException) as HasExploitException,
    max(IsCriticalService) as IsCritical,
    earliest(_time) as FirstCrash,
    latest(_time) as LastCrash
    by host, FaultingApp, _time
| eval CrashIntervalSecs=LastCrash-FirstCrash
| eval RapidReExploitation=if(CrashCount>=3 AND CrashIntervalSecs<=1800, 1, 0)
| eval AlertSeverity=case(
    RapidReExploitation=1 AND HasExploitException=1, "Critical",
    CrashCount>=5 OR (IsCritical=1 AND HasExploitException=1), "High",
    true(), "Medium"
)
| where CrashCount>=2
| table FirstCrash, LastCrash, host, FaultingApp, CrashCount, CrashIntervalSecs, ExceptionCodes, FaultingModules, EventTypes, RapidReExploitation, IsCritical, HasExploitException, AlertSeverity
| sort - CrashCount

high severity medium confidence

Data Sources

Application: Application Crash Windows Event Log: Application (EventCode 1000) Windows Event Log: System (EventCode 7034, 7031)

Required Sourcetypes

WinEventLog:Application WinEventLog:System

False Positives

Buggy in-house or third-party applications with recurring software defects crashing with access violation exception codes unrelated to external exploitation
Memory-constrained or overloaded servers where OOM conditions cause access violation exceptions in application processes
Legitimate load testing or fuzzing infrastructure on test systems using intentional crash generation to validate resilience
Service restarts during patching windows generating multiple Event ID 7034/7031 entries in short succession
Antivirus or EDR product updates causing transient access violations in hooked processes during engine reload

Elastic Security (EQL)

eql

sequence by host.name, winlog.event_data.Application with maxspan=30m
  [any where winlog.channel == "Application" and event.code == "1000"
   and (
     winlog.event_data.ExceptionCode in (
       "0xc0000005", "0xc000001d", "0xc00000fd",
       "0xc0000409", "0xc0000374", "0x80000003", "0xc0000096"
     )
     or winlog.event_data.Application like (
       "*w3wp*", "*httpd*", "*apache*", "*sqlservr*", "*named*",
       "*mysqld*", "*postgres*", "*nginx*", "*lsass*", "*spoolsv*",
       "*dns.exe*", "*tomcat*", "*vsftpd*", "*sshd*"
     )
   )]
  [any where winlog.channel == "Application" and event.code == "1000"
   and (
     winlog.event_data.ExceptionCode in (
       "0xc0000005", "0xc000001d", "0xc00000fd",
       "0xc0000409", "0xc0000374", "0x80000003", "0xc0000096"
     )
     or winlog.event_data.Application like (
       "*w3wp*", "*httpd*", "*apache*", "*sqlservr*", "*named*",
       "*mysqld*", "*postgres*", "*nginx*", "*lsass*", "*spoolsv*",
       "*dns.exe*", "*tomcat*", "*vsftpd*", "*sshd*"
     )
   )]

/* Rapid re-exploitation variant — three crashes in 30 minutes */
/* Uncomment and use separately for Critical severity:
sequence by host.name, winlog.event_data.Application with maxspan=30m
  [any where winlog.channel == "Application" and event.code == "1000"
   and winlog.event_data.ExceptionCode in ("0xc0000005","0xc000001d","0xc00000fd","0xc0000409","0xc0000374","0x80000003","0xc0000096")]
  [any where winlog.channel == "Application" and event.code == "1000"
   and winlog.event_data.ExceptionCode in ("0xc0000005","0xc000001d","0xc00000fd","0xc0000409","0xc0000374","0x80000003","0xc0000096")]
  [any where winlog.channel == "Application" and event.code == "1000"
   and winlog.event_data.ExceptionCode in ("0xc0000005","0xc000001d","0xc00000fd","0xc0000409","0xc0000374","0x80000003","0xc0000096")]
*/

high severity medium confidence

Data Sources

Windows Application Event Log (Event ID 1000 — Application Error) Windows System Event Log (Event IDs 7031, 7034 — Service crash) Winlogbeat or Elastic Agent Windows integration

Required Tables

winlogbeat-* (index) logs-windows.application-* (Elastic Agent Fleet index)

False Positives

Buggy third-party software with known crash loops (e.g., legacy COM-based IIS extensions) that crash repeatedly during normal operations and are restarted by IIS application pool recycling.
Automated stress-testing or load-testing frameworks (JMeter, Locust, k6) hammering web servers in pre-production environments, triggering resource exhaustion that manifests as exception 0xc0000005.
Windows Error Reporting (WER) generating synthetic Event ID 1000 entries for managed .NET application crashes that throw OutOfMemoryException — these produce ExceptionCode 0xc0000374 but are not exploitation attempts.

IBM QRadar (AQL)

sql

SELECT
  LOGSOURCENAME(logsourceid) AS "Log Source",
  devicehostname AS "Host",
  CATEGORYNAME(category) AS "Category",
  COUNT(*) AS "CrashCount",
  MIN(starttime) AS "FirstCrash",
  MAX(starttime) AS "LastCrash",
  MAX(starttime) - MIN(starttime) AS "CrashIntervalSecs",
  CASE
    WHEN COUNT(*) >= 3 AND (MAX(starttime) - MIN(starttime)) <= 1800
         AND REGEXP_CONTAINS(UTF8(payload), '(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)')
      THEN 'Critical'
    WHEN COUNT(*) >= 5
         OR (
           REGEXP_CONTAINS(UTF8(payload), '(?i)(w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|lsass|spoolsv|tomcat)')
           AND REGEXP_CONTAINS(UTF8(payload), '(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)')
         )
      THEN 'High'
    ELSE 'Medium'
  END AS "AlertSeverity"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12  /* Microsoft Windows Security Event Log */
  AND eventid = 1000
  AND (
    REGEXP_CONTAINS(UTF8(payload), '(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)')
    OR REGEXP_CONTAINS(UTF8(payload), '(?i)Faulting application name: [^,]*(w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|vsftpd|sshd|lsass|spoolsv|dns\.exe|tomcat)[^,]*,')
  )
  AND LAST 24 HOURS
GROUP BY
  devicehostname,
  FLOOR(LONG(starttime) / (30 * 60 * 1000))
HAVING COUNT(*) >= 2
ORDER BY "CrashCount" DESC

high severity medium confidence

Data Sources

Windows Application Event Log (Event ID 1000) via WinCollect or Windows Event Forwarding to QRadar IBM QRadar events table — LOGSOURCETYPEID 12 (Microsoft Windows Security Event Log) QRadar custom log source properties for ExceptionCode and FaultingApp extraction

Required Tables

events

False Positives

Application deployment pipelines (Octopus Deploy, Ansible) that stop and restart IIS application pools in rapid succession during deployments, generating multiple Event ID 1000 entries from w3wp.exe crashes during teardown.
Antivirus or EDR agents injecting into critical service processes (lsass, spoolsv) and triggering access violation exceptions during signature updates or behavioral scanning operations.
SQL Server AlwaysOn failover operations generating multiple sqlservr.exe Event ID 1000 entries as the secondary replica takes over and the primary instance terminates abnormally.

Sumo Logic CSE

sql

_sourceCategory=*windows* ("EventCode=1000" OR "EventCode=7034" OR "EventCode=7031")
| parse "EventCode=*" as EventCode nodrop
| parse "Faulting application name: *, version" as FaultingApp nodrop
| parse "Faulting module name: *, version" as FaultingModule nodrop
| parse "Exception code: *" as ExceptionCode nodrop
| parse "The * service terminated unexpectedly" as ServiceName nodrop
| eval EventType = if(EventCode == "1000", "AppCrash",
    if(EventCode == "7034", "ServiceCrashUnexpected",
    if(EventCode == "7031", "ServiceCrashWithRecovery", "Unknown")))
| eval IsExploitException = if(matches(ExceptionCode, "(?i)0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096"), 1, 0)
| eval IsCriticalService = if(
    matches(toLowerCase(FaultingApp), ".*w3wp.*|.*inetinfo.*|.*httpd.*|.*apache.*|.*sqlservr.*|.*named.*|.*mysqld.*|.*postgres.*|.*nginx.*|.*vsftpd.*|.*sshd.*|.*lsass.*|.*spoolsv.*|.*tomcat.*"),
    1, 0)
| where IsExploitException == 1 OR IsCriticalService == 1 OR EventType != "AppCrash"
| timeslice 30m
| count as CrashCount,
  values(ExceptionCode) as ExceptionCodes,
  values(FaultingModule) as FaultingModules,
  values(EventType) as EventTypes,
  max(IsExploitException) as HasExploitException,
  max(IsCriticalService) as IsCritical,
  min(_messageTime) as FirstCrash,
  max(_messageTime) as LastCrash
  by _timeslice, _sourceHost, FaultingApp
| where CrashCount >= 2
| eval CrashIntervalSecs = (LastCrash - FirstCrash) / 1000
| eval RapidReExploitation = if(CrashCount >= 3 AND CrashIntervalSecs <= 1800, "true", "false")
| eval AlertSeverity = if(
    RapidReExploitation == "true" AND HasExploitException == 1, "Critical",
    if(CrashCount >= 5 OR (IsCritical == 1 AND HasExploitException == 1), "High", "Medium"))
| fields _timeslice, _sourceHost, FaultingApp, CrashCount, CrashIntervalSecs, ExceptionCodes, FaultingModules, EventTypes, RapidReExploitation, IsCritical, HasExploitException, AlertSeverity
| sort by CrashCount

high severity high confidence

Data Sources

Windows Application Event Log (Event ID 1000) via Sumo Logic Installed Collector or OpenTelemetry Windows System Event Log (Event IDs 7031, 7034) for service crash events Sumo Logic Windows source with _sourceCategory=windows or similar

Required Tables

_sourceCategory=*windows*

False Positives

CI/CD build agents running integration tests against local service instances (IIS Express, SQL Server LocalDB) where tests deliberately exercise error paths, generating crash events for w3wp.exe or sqlservr.exe within short windows.
Windows Defender Application Control (WDAC) or AppLocker policy enforcement blocking process injection into lsass.exe, which may generate access violation exception codes (0xc0000005) as injected DLLs fail to initialize.
Database maintenance windows where MySQL or PostgreSQL instances are recycled in rapid succession for schema migrations, generating multiple Event ID 1000 entries for mysqld.exe or postgres.exe with non-exploit exception codes that still match the critical service filter.

Google Chronicle / SecOps

yaral

rule t1499_004_exploitation_dos_crash_loop {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects exploitation-based DoS via repeated application crashes with exploit exception codes on critical services (MITRE T1499.004)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499.004"
    reference = "https://attack.mitre.org/techniques/T1499/004/"
    created = "2024-01-01"
    version = "1.0"

  events:
    $crash.metadata.event_type = "PROCESS_UNCATEGORIZED"
    $crash.metadata.product_event_type = "1000"
    (
      re.regex(
        $crash.principal.process.file.full_path,
        `(?i)(w3wp|inetinfo|httpd|apache2|sqlservr|named|mysqld|postgres|nginx|vsftpd|sshd|lsass|spoolsv|dns\.exe|tomcat)`
      )
      OR re.regex(
        $crash.metadata.description,
        `(?i)(Exception code:\s*)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)`
      )
    )
    $crash.principal.hostname = $target_host
    $crash.principal.process.file.full_path = $faulting_app

  match:
    $target_host, $faulting_app over 30m

  outcome:
    $crash_count = count_distinct($crash.metadata.event_timestamp.seconds)
    $exception_codes = array_distinct($crash.metadata.description)
    $first_crash = min($crash.metadata.event_timestamp.seconds)
    $last_crash = max($crash.metadata.event_timestamp.seconds)
    $crash_interval_secs = max($crash.metadata.event_timestamp.seconds) - min($crash.metadata.event_timestamp.seconds)
    $is_rapid_reexploit = if(
      count_distinct($crash.metadata.event_timestamp.seconds) >= 3
      and (max($crash.metadata.event_timestamp.seconds) - min($crash.metadata.event_timestamp.seconds)) <= 1800,
      true, false
    )
    $alert_severity = if(
      $is_rapid_reexploit = true
      and re.regex(
        array_to_string(array_distinct($crash.metadata.description), ","),
        `(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)`
      ), "Critical",
      if(count_distinct($crash.metadata.event_timestamp.seconds) >= 5, "High", "Medium")
    )

  condition:
    #crash >= 2
}

high severity medium confidence

Data Sources

Windows Application Event Log (Event ID 1000) via Chronicle forwarder or Windows Event Forwarding Google Chronicle UDM PROCESS_UNCATEGORIZED events with product_event_type=1000 Chronicle Windows Event Log parser (log type: WINEVTLOG or MICROSOFT_WINDOWS)

Required Tables

UDM events (PROCESS_UNCATEGORIZED type, product_event_type 1000)

False Positives

Containers or VMs running crash-test harnesses (AFL fuzzer, libFuzzer) against locally compiled test targets — these generate high-frequency crash events with genuine exploit exception codes (0xc0000005, 0xc000001d) but against test binaries, not production services.
Windows Update or cumulative patch installation causing IIS, SQL Server, or DNS service restarts in rapid succession, with the old process instances generating Event ID 1000 entries during forced teardown.
Elastic APM, Dynatrace, or AppDynamics agents hooking into critical service processes and triggering structured exception handling during initialization, producing 0xc0000005 exception codes in application error events that are self-resolving.

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale — T1499.004 Exploitation-based DoS via repeated application crashes
// Requires Windows Event Log forwarding to LogScale (Falcon LogScale Collector or WEC)

#event_simpleName = "WindowsEventLog"
| EventCode = "1000"
| Channel = "Application"
| regex("Faulting application name: (?P<FaultingApp>[^,\r\n]+)", field=Message, strict=false)
| regex("Faulting module name: (?P<FaultingModule>[^,\r\n]+)", field=Message, strict=false)
| regex("Exception code: (?P<ExceptionCode>0x[0-9a-fA-F]+)", field=Message, strict=false)
| regex("Faulting application path: (?P<FaultingPath>[^\r\n]+)", field=Message, strict=false)
| IsExploitException := ExceptionCode = /(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)/
| IsCriticalService := FaultingApp = /(?i)(w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|vsftpd|sshd|lsass|spoolsv|dns\.exe|tomcat)/
| IsExploitException = true OR IsCriticalService = true
| groupBy(
    [ComputerName, FaultingApp],
    function=[
      count(as=CrashCount),
      min(@timestamp, as=FirstCrashMs),
      max(@timestamp, as=LastCrashMs),
      collect([ExceptionCode], limit=20, multival=true, as=ExceptionCodes),
      collect([FaultingModule], limit=10, multival=true, as=FaultingModules),
      collect([FaultingPath], limit=5, multival=true, as=FaultingPaths),
      max(IsExploitException, as=HasExploitException),
      max(IsCriticalService, as=IsCritical)
    ],
    limit=200,
    timespan=30m
  )
| CrashCount >= 2
| CrashIntervalSecs := (LastCrashMs - FirstCrashMs) / 1000
| RapidReExploitation := if(CrashCount >= 3 AND CrashIntervalSecs <= 1800, "true", "false")
| AlertSeverity := if(
    RapidReExploitation = "true" AND HasExploitException = true,
    "Critical",
    if(
      CrashCount >= 5 OR (IsCritical = true AND HasExploitException = true),
      "High",
      "Medium"
    )
  )
| table(
    [FirstCrashMs, LastCrashMs, ComputerName, FaultingApp, CrashCount,
     CrashIntervalSecs, ExceptionCodes, FaultingModules, FaultingPaths,
     RapidReExploitation, IsCritical, HasExploitException, AlertSeverity],
    sortby=CrashCount,
    order=desc
  )

high severity medium confidence

Data Sources

Windows Application Event Log (Event ID 1000) via LogScale Collector or Windows Event Forwarding CrowdStrike Falcon LogScale WindowsEventLog events (Channel=Application) Optional: Falcon sensor AppCrash telemetry for endpoints enrolled in Falcon sensor telemetry forwarding

Required Tables

#event_simpleName=WindowsEventLog (forwarded Windows event log data)

False Positives

IIS worker processes (w3wp.exe) crashing during legitimate high-load web application deployments where application pool recycling is misconfigured — rapid restarts generate multiple Event ID 1000 entries with access violation codes when ASP.NET modules fail to unload cleanly.
Legacy 32-bit applications running under WOW64 on Windows Server encountering Data Execution Prevention (DEP) violations (0xc0000005) during normal execution of self-modifying code paths such as JIT compilers for older runtimes.
Database replication or backup agents (SQL Server Agent, mysqldump wrappers) terminating target database processes as part of a quiesce-then-snapshot backup workflow, generating multiple crash events for mysqld.exe or sqlservr.exe within the detection window.

Last updated: 2026-04-19 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1499.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion Flood T1499.002Service Exhaustion Flood T1499.003Application Exhaustion Flood

Application or System Exploitation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections