T1499.004 IBM QRadar · QRadar

Detect Application or System Exploitation in IBM QRadar

Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.004 Application or System Exploitation
Canonical reference
https://attack.mitre.org/techniques/T1499/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  LOGSOURCENAME(logsourceid) AS "Log Source",
  devicehostname AS "Host",
  CATEGORYNAME(category) AS "Category",
  COUNT(*) AS "CrashCount",
  MIN(starttime) AS "FirstCrash",
  MAX(starttime) AS "LastCrash",
  MAX(starttime) - MIN(starttime) AS "CrashIntervalSecs",
  CASE
    WHEN COUNT(*) >= 3 AND (MAX(starttime) - MIN(starttime)) <= 1800
         AND REGEXP_CONTAINS(UTF8(payload), '(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)')
      THEN 'Critical'
    WHEN COUNT(*) >= 5
         OR (
           REGEXP_CONTAINS(UTF8(payload), '(?i)(w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|lsass|spoolsv|tomcat)')
           AND REGEXP_CONTAINS(UTF8(payload), '(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)')
         )
      THEN 'High'
    ELSE 'Medium'
  END AS "AlertSeverity"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12  /* Microsoft Windows Security Event Log */
  AND eventid = 1000
  AND (
    REGEXP_CONTAINS(UTF8(payload), '(?i)(0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096)')
    OR REGEXP_CONTAINS(UTF8(payload), '(?i)Faulting application name: [^,]*(w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|vsftpd|sshd|lsass|spoolsv|dns\.exe|tomcat)[^,]*,')
  )
  AND LAST 24 HOURS
GROUP BY
  devicehostname,
  FLOOR(LONG(starttime) / (30 * 60 * 1000))
HAVING COUNT(*) >= 2
ORDER BY "CrashCount" DESC
high severity medium confidence

Detects exploitation-based denial of service in IBM QRadar by querying Windows Application Event Log entries (Event ID 1000) for crash patterns matching exploit-relevant exception codes or critical service process names. Groups events into 30-minute tumbling buckets per host and computes crash counts, interval, and severity. The LOGSOURCETYPEID 12 targets the Microsoft Windows Security Event Log source type; adjust to the specific numeric ID assigned in your QRadar deployment for Windows Application logs. Requires Windows event forwarding to QRadar via WinCollect or syslog-based forwarders. Custom log source properties may be needed to extract FaultingApp and ExceptionCode as indexed fields for better performance.

Data Sources

Windows Application Event Log (Event ID 1000) via WinCollect or Windows Event Forwarding to QRadarIBM QRadar events table — LOGSOURCETYPEID 12 (Microsoft Windows Security Event Log)QRadar custom log source properties for ExceptionCode and FaultingApp extraction

Required Tables

events

False Positives & Tuning

  • Application deployment pipelines (Octopus Deploy, Ansible) that stop and restart IIS application pools in rapid succession during deployments, generating multiple Event ID 1000 entries from w3wp.exe crashes during teardown.
  • Antivirus or EDR agents injecting into critical service processes (lsass, spoolsv) and triggering access violation exceptions during signature updates or behavioral scanning operations.
  • SQL Server AlwaysOn failover operations generating multiple sqlservr.exe Event ID 1000 entries as the secondary replica takes over and the primary instance terminates abnormally.
Download portable Sigma rule (.yml)

Other platforms for T1499.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Application Crash with Access Violation (Event ID 1000)

    Expected signal: Windows Application Event Log: Event ID 1000 with Source='Application Error', FaultingApp containing 'powershell.exe', ExceptionCode '0xc0000005'. Windows Error Reporting Event ID 1001 may also fire. Sysmon Event ID 1 (Process Create) for the spawned child powershell.exe with the Marshal::ReadInt32 command line, followed by Sysmon Event ID 5 (Process Terminate) with non-zero exit code.

  2. Test 2Service Crash Loop Simulation (Event ID 7034 / Rapid Restart Pattern)

    Expected signal: Windows System Event Log: Event ID 7000 (service failed to start) or 7034 (service terminated unexpectedly) for ArgusTestDoSSvc across three attempts within approximately 10 seconds. Each start attempt will fail and log a separate event. The SCM logs the service name, failure count, and timestamp.

  3. Test 3BIND9 DNS Service Crash Simulation via Malformed TKEY Query (CVE-2015-5477 Pattern)

    Expected signal: On unpatched BIND9: /var/log/syslog or journalctl -u named will show 'named[PID]: INSIST(...)' assertion failure followed by process termination and systemd restart. On patched systems: query will be rejected (REFUSED or NOTAUTH) with no crash. Sysmon for Linux: process execution of dig with TKEY arguments logged via auditd or eBPF sensor.

  4. Test 4Web Server Malformed Request Crash Simulation (Heap Exhaustion / Buffer Overflow Pattern)

    Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from python3 to localhost:80 logged. If web server is vulnerable: Application Event ID 1000 (Windows) or syslog SIGSEGV for the worker process. Web server access/error logs will show malformed requests. The connection-to-crash temporal correlation (within 5 minutes) activates the hunting query joining DeviceNetworkEvents with crash events.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1499.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion FloodT1499.002Service Exhaustion FloodT1499.003Application Exhaustion Flood

Related Techniques

T1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1489Service StopT1485Data DestructionT1495Firmware CorruptionT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege Escalation

Same Tactic: Impact

Popular Detections