Detect Application or System Exploitation in CrowdStrike LogScale
Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1499 Endpoint Denial of Service
- Sub-technique
- T1499.004 Application or System Exploitation
- Canonical reference
- https://attack.mitre.org/techniques/T1499/004/
LogScale Detection Query
// CrowdStrike LogScale — T1499.004 Exploitation-based DoS via repeated application crashes
// Requires Windows Event Log forwarding to LogScale (Falcon LogScale Collector or WEC)
#event_simpleName = "WindowsEventLog"
| EventCode = "1000"
| Channel = "Application"
| regex("Faulting application name: (?P<FaultingApp>[^,\r\n]+)", field=Message, strict=false)
| regex("Faulting module name: (?P<FaultingModule>[^,\r\n]+)", field=Message, strict=false)
| regex("Exception code: (?P<ExceptionCode>0x[0-9a-fA-F]+)", field=Message, strict=false)
| regex("Faulting application path: (?P<FaultingPath>[^\r\n]+)", field=Message, strict=false)
| IsExploitException := ExceptionCode = /(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)/
| IsCriticalService := FaultingApp = /(?i)(w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|vsftpd|sshd|lsass|spoolsv|dns\.exe|tomcat)/
| IsExploitException = true OR IsCriticalService = true
| groupBy(
[ComputerName, FaultingApp],
function=[
count(as=CrashCount),
min(@timestamp, as=FirstCrashMs),
max(@timestamp, as=LastCrashMs),
collect([ExceptionCode], limit=20, multival=true, as=ExceptionCodes),
collect([FaultingModule], limit=10, multival=true, as=FaultingModules),
collect([FaultingPath], limit=5, multival=true, as=FaultingPaths),
max(IsExploitException, as=HasExploitException),
max(IsCriticalService, as=IsCritical)
],
limit=200,
timespan=30m
)
| CrashCount >= 2
| CrashIntervalSecs := (LastCrashMs - FirstCrashMs) / 1000
| RapidReExploitation := if(CrashCount >= 3 AND CrashIntervalSecs <= 1800, "true", "false")
| AlertSeverity := if(
RapidReExploitation = "true" AND HasExploitException = true,
"Critical",
if(
CrashCount >= 5 OR (IsCritical = true AND HasExploitException = true),
"High",
"Medium"
)
)
| table(
[FirstCrashMs, LastCrashMs, ComputerName, FaultingApp, CrashCount,
CrashIntervalSecs, ExceptionCodes, FaultingModules, FaultingPaths,
RapidReExploitation, IsCritical, HasExploitException, AlertSeverity],
sortby=CrashCount,
order=desc
)CrowdStrike LogScale (formerly Humio) detection for exploitation-based denial of service by correlating repeated Windows Application Error events (Event ID 1000) forwarded from Windows endpoints. Uses regex extraction to parse faulting application name, module, path, and exception code from the raw event message, then aggregates crashes into 30-minute windows using groupBy with timespan. Applies the same severity logic as the reference KQL/SPL queries: Critical for rapid re-exploitation with exploit exception codes, High for ≥5 crashes or critical service + exploit combination. Requires the CrowdStrike Falcon LogScale Collector or Windows Event Collector forwarding Application Event Logs with #event_simpleName=WindowsEventLog. This tag name may vary by forwarder configuration — validate against your deployment's field taxonomy.
Data Sources
Required Tables
False Positives & Tuning
- IIS worker processes (w3wp.exe) crashing during legitimate high-load web application deployments where application pool recycling is misconfigured — rapid restarts generate multiple Event ID 1000 entries with access violation codes when ASP.NET modules fail to unload cleanly.
- Legacy 32-bit applications running under WOW64 on Windows Server encountering Data Execution Prevention (DEP) violations (0xc0000005) during normal execution of self-modifying code paths such as JIT compilers for older runtimes.
- Database replication or backup agents (SQL Server Agent, mysqldump wrappers) terminating target database processes as part of a quiesce-then-snapshot backup workflow, generating multiple crash events for mysqld.exe or sqlservr.exe within the detection window.
Other platforms for T1499.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Application Crash with Access Violation (Event ID 1000)
Expected signal: Windows Application Event Log: Event ID 1000 with Source='Application Error', FaultingApp containing 'powershell.exe', ExceptionCode '0xc0000005'. Windows Error Reporting Event ID 1001 may also fire. Sysmon Event ID 1 (Process Create) for the spawned child powershell.exe with the Marshal::ReadInt32 command line, followed by Sysmon Event ID 5 (Process Terminate) with non-zero exit code.
- Test 2Service Crash Loop Simulation (Event ID 7034 / Rapid Restart Pattern)
Expected signal: Windows System Event Log: Event ID 7000 (service failed to start) or 7034 (service terminated unexpectedly) for ArgusTestDoSSvc across three attempts within approximately 10 seconds. Each start attempt will fail and log a separate event. The SCM logs the service name, failure count, and timestamp.
- Test 3BIND9 DNS Service Crash Simulation via Malformed TKEY Query (CVE-2015-5477 Pattern)
Expected signal: On unpatched BIND9: /var/log/syslog or journalctl -u named will show 'named[PID]: INSIST(...)' assertion failure followed by process termination and systemd restart. On patched systems: query will be rejected (REFUSED or NOTAUTH) with no crash. Sysmon for Linux: process execution of dig with TKEY arguments logged via auditd or eBPF sensor.
- Test 4Web Server Malformed Request Crash Simulation (Heap Exhaustion / Buffer Overflow Pattern)
Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from python3 to localhost:80 logged. If web server is vulnerable: Application Event ID 1000 (Windows) or syslog SIGSEGV for the worker process. Web server access/error logs will show malformed requests. The connection-to-crash temporal correlation (within 5 minutes) activates the hunting query joining DeviceNetworkEvents with crash events.
References (9)
- https://attack.mitre.org/techniques/T1499/004/
- https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
- https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2015-5477
- https://nvd.nist.gov/vuln/detail/CVE-2015-5374
- https://learn.microsoft.com/en-us/windows/win32/debug/wer-settings
- https://learn.microsoft.com/en-us/windows/win32/debug/minidump-files
- https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1499.004/T1499.004.md
Unlock Pro Content
Get the full detection package for T1499.004 including response playbook, investigation guide, and atomic red team tests.