T1499.004 Elastic Security · Elastic

Detect Application or System Exploitation in Elastic Security

Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.004 Application or System Exploitation
Canonical reference
https://attack.mitre.org/techniques/T1499/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, winlog.event_data.Application with maxspan=30m
  [any where winlog.channel == "Application" and event.code == "1000"
   and (
     winlog.event_data.ExceptionCode in (
       "0xc0000005", "0xc000001d", "0xc00000fd",
       "0xc0000409", "0xc0000374", "0x80000003", "0xc0000096"
     )
     or winlog.event_data.Application like (
       "*w3wp*", "*httpd*", "*apache*", "*sqlservr*", "*named*",
       "*mysqld*", "*postgres*", "*nginx*", "*lsass*", "*spoolsv*",
       "*dns.exe*", "*tomcat*", "*vsftpd*", "*sshd*"
     )
   )]
  [any where winlog.channel == "Application" and event.code == "1000"
   and (
     winlog.event_data.ExceptionCode in (
       "0xc0000005", "0xc000001d", "0xc00000fd",
       "0xc0000409", "0xc0000374", "0x80000003", "0xc0000096"
     )
     or winlog.event_data.Application like (
       "*w3wp*", "*httpd*", "*apache*", "*sqlservr*", "*named*",
       "*mysqld*", "*postgres*", "*nginx*", "*lsass*", "*spoolsv*",
       "*dns.exe*", "*tomcat*", "*vsftpd*", "*sshd*"
     )
   )]

/* Rapid re-exploitation variant — three crashes in 30 minutes */
/* Uncomment and use separately for Critical severity:
sequence by host.name, winlog.event_data.Application with maxspan=30m
  [any where winlog.channel == "Application" and event.code == "1000"
   and winlog.event_data.ExceptionCode in ("0xc0000005","0xc000001d","0xc00000fd","0xc0000409","0xc0000374","0x80000003","0xc0000096")]
  [any where winlog.channel == "Application" and event.code == "1000"
   and winlog.event_data.ExceptionCode in ("0xc0000005","0xc000001d","0xc00000fd","0xc0000409","0xc0000374","0x80000003","0xc0000096")]
  [any where winlog.channel == "Application" and event.code == "1000"
   and winlog.event_data.ExceptionCode in ("0xc0000005","0xc000001d","0xc00000fd","0xc0000409","0xc0000374","0x80000003","0xc0000096")]
*/
high severity medium confidence

Detects exploitation-based denial of service by identifying repeated Windows Application Error crashes (Event ID 1000) on the same host and application within a 30-minute window. EQL sequences correlate two or more crashes tied to exploit-relevant exception codes (access violation 0xc0000005, illegal instruction 0xc000001d, stack overflow 0xc00000fd, stack buffer overrun 0xc0000409, heap corruption 0xc0000374) or critical service process names. Rapid re-exploitation (three crashes in 30 minutes) should be tracked with the three-event sequence variant provided as a comment. Requires Windows Application Event Log ingestion via Winlogbeat or Elastic Agent with the Windows integration.

Data Sources

Windows Application Event Log (Event ID 1000 — Application Error)Windows System Event Log (Event IDs 7031, 7034 — Service crash)Winlogbeat or Elastic Agent Windows integration

Required Tables

winlogbeat-* (index)logs-windows.application-* (Elastic Agent Fleet index)

False Positives & Tuning

  • Buggy third-party software with known crash loops (e.g., legacy COM-based IIS extensions) that crash repeatedly during normal operations and are restarted by IIS application pool recycling.
  • Automated stress-testing or load-testing frameworks (JMeter, Locust, k6) hammering web servers in pre-production environments, triggering resource exhaustion that manifests as exception 0xc0000005.
  • Windows Error Reporting (WER) generating synthetic Event ID 1000 entries for managed .NET application crashes that throw OutOfMemoryException — these produce ExceptionCode 0xc0000374 but are not exploitation attempts.
Download portable Sigma rule (.yml)

Other platforms for T1499.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Application Crash with Access Violation (Event ID 1000)

    Expected signal: Windows Application Event Log: Event ID 1000 with Source='Application Error', FaultingApp containing 'powershell.exe', ExceptionCode '0xc0000005'. Windows Error Reporting Event ID 1001 may also fire. Sysmon Event ID 1 (Process Create) for the spawned child powershell.exe with the Marshal::ReadInt32 command line, followed by Sysmon Event ID 5 (Process Terminate) with non-zero exit code.

  2. Test 2Service Crash Loop Simulation (Event ID 7034 / Rapid Restart Pattern)

    Expected signal: Windows System Event Log: Event ID 7000 (service failed to start) or 7034 (service terminated unexpectedly) for ArgusTestDoSSvc across three attempts within approximately 10 seconds. Each start attempt will fail and log a separate event. The SCM logs the service name, failure count, and timestamp.

  3. Test 3BIND9 DNS Service Crash Simulation via Malformed TKEY Query (CVE-2015-5477 Pattern)

    Expected signal: On unpatched BIND9: /var/log/syslog or journalctl -u named will show 'named[PID]: INSIST(...)' assertion failure followed by process termination and systemd restart. On patched systems: query will be rejected (REFUSED or NOTAUTH) with no crash. Sysmon for Linux: process execution of dig with TKEY arguments logged via auditd or eBPF sensor.

  4. Test 4Web Server Malformed Request Crash Simulation (Heap Exhaustion / Buffer Overflow Pattern)

    Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from python3 to localhost:80 logged. If web server is vulnerable: Application Event ID 1000 (Windows) or syslog SIGSEGV for the worker process. Web server access/error logs will show malformed requests. The connection-to-crash temporal correlation (within 5 minutes) activates the hunting query joining DeviceNetworkEvents with crash events.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1499.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion FloodT1499.002Service Exhaustion FloodT1499.003Application Exhaustion Flood

Related Techniques

T1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1489Service StopT1485Data DestructionT1495Firmware CorruptionT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege Escalation

Same Tactic: Impact

Popular Detections