Detect Application or System Exploitation in Microsoft Sentinel
Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1499 Endpoint Denial of Service
- Sub-technique
- T1499.004 Application or System Exploitation
- Canonical reference
- https://attack.mitre.org/techniques/T1499/004/
KQL Detection Query
let ExploitExceptionCodes = dynamic([
"0xc0000005",
"0xc000001d",
"0xc00000fd",
"0xc0000409",
"0xc0000374",
"0x80000003",
"0xc0000096"
]);
let CriticalServices = dynamic(["w3wp", "inetinfo", "httpd", "apache", "sqlservr", "named", "mysqld", "postgres", "nginx", "vsftpd", "sshd", "lsass", "spoolsv", "dns", "tomcat"]);
let LookbackWindow = 24h;
let CrashWindowBin = 30m;
let MinCrashThreshold = 2;
Event
| where TimeGenerated > ago(LookbackWindow)
| where EventLog == "Application"
| where EventID == 1000
| extend FaultingApp = extract(@"Faulting application name: ([^,\r\n]+)", 1, RenderedDescription)
| extend FaultingModule = extract(@"Faulting module name: ([^,\r\n]+)", 1, RenderedDescription)
| extend ExceptionCode = extract(@"Exception code: (0x[0-9a-fA-F]+)", 1, RenderedDescription)
| extend FaultingAppPath = extract(@"Faulting application path: ([^\r\n]+)", 1, RenderedDescription)
| extend ExceptionIsExploitRelevant = ExceptionCode in (ExploitExceptionCodes)
| extend AppIsCritical = FaultingApp has_any (CriticalServices)
| where ExceptionIsExploitRelevant or AppIsCritical
| summarize
CrashCount = count(),
ExceptionCodes = make_set(ExceptionCode),
FaultingModules = make_set(FaultingModule),
FaultingPaths = make_set(FaultingAppPath),
FirstCrash = min(TimeGenerated),
LastCrash = max(TimeGenerated),
IsCritical = max(toint(AppIsCritical)),
IsExploitException = max(toint(ExceptionIsExploitRelevant))
by Computer, FaultingApp, bin(TimeGenerated, CrashWindowBin)
| where CrashCount >= MinCrashThreshold
| extend CrashIntervalMinutes = datetime_diff('minute', LastCrash, FirstCrash)
| extend RapidReExploitation = CrashCount >= 3 and CrashIntervalMinutes <= 30
| extend AlertSeverity = case(
RapidReExploitation == true and IsExploitException == 1, "Critical",
CrashCount >= 5 or (IsCritical == 1 and IsExploitException == 1), "High",
"Medium"
)
| project FirstCrash, LastCrash, Computer, FaultingApp, CrashCount, CrashIntervalMinutes, ExceptionCodes, FaultingModules, FaultingPaths, RapidReExploitation, IsCritical, IsExploitException, AlertSeverity
| sort by CrashCount descDetects exploitation-induced application crashes by analyzing Windows Application Event Log (Event ID 1000) ingested via Log Analytics agent. Extracts exception codes from RenderedDescription and filters for memory corruption and execution anomaly indicators: 0xc0000005 (ACCESS_VIOLATION), 0xc000001d (ILLEGAL_INSTRUCTION), 0xc00000fd (STACK_OVERFLOW), 0xc0000409 (STACK_BUFFER_OVERRUN / GS cookie violation), 0xc0000374 (HEAP_CORRUPTION), 0x80000003 (BREAKPOINT), 0xc0000096 (PRIVILEGED_INSTRUCTION). Aggregates crashes into 30-minute windows to surface rapid re-exploitation patterns where auto-restart mechanisms allow repeated crashes of the same service. Prioritizes critical internet-facing services (IIS, Apache, SQL Server, BIND named, nginx, PostgreSQL).
Data Sources
Required Tables
False Positives & Tuning
- Buggy in-house or third-party applications with recurring software defects that crash with access violation exceptions unrelated to exploitation
- Memory-constrained or heavily loaded servers where OOM conditions cause access violation exceptions in critical processes
- Legitimate load testing or fuzzing pipelines on non-production systems that intentionally generate crash events as part of resilience testing
- Windows software updates or in-place upgrades that transiently crash services, generating multiple Event ID 1000 entries during the update window
- Antivirus or EDR hooking conflicts that cause access violations in monitored processes during signature updates or engine upgrades
Other platforms for T1499.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Application Crash with Access Violation (Event ID 1000)
Expected signal: Windows Application Event Log: Event ID 1000 with Source='Application Error', FaultingApp containing 'powershell.exe', ExceptionCode '0xc0000005'. Windows Error Reporting Event ID 1001 may also fire. Sysmon Event ID 1 (Process Create) for the spawned child powershell.exe with the Marshal::ReadInt32 command line, followed by Sysmon Event ID 5 (Process Terminate) with non-zero exit code.
- Test 2Service Crash Loop Simulation (Event ID 7034 / Rapid Restart Pattern)
Expected signal: Windows System Event Log: Event ID 7000 (service failed to start) or 7034 (service terminated unexpectedly) for ArgusTestDoSSvc across three attempts within approximately 10 seconds. Each start attempt will fail and log a separate event. The SCM logs the service name, failure count, and timestamp.
- Test 3BIND9 DNS Service Crash Simulation via Malformed TKEY Query (CVE-2015-5477 Pattern)
Expected signal: On unpatched BIND9: /var/log/syslog or journalctl -u named will show 'named[PID]: INSIST(...)' assertion failure followed by process termination and systemd restart. On patched systems: query will be rejected (REFUSED or NOTAUTH) with no crash. Sysmon for Linux: process execution of dig with TKEY arguments logged via auditd or eBPF sensor.
- Test 4Web Server Malformed Request Crash Simulation (Heap Exhaustion / Buffer Overflow Pattern)
Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from python3 to localhost:80 logged. If web server is vulnerable: Application Event ID 1000 (Windows) or syslog SIGSEGV for the worker process. Web server access/error logs will show malformed requests. The connection-to-crash temporal correlation (within 5 minutes) activates the hunting query joining DeviceNetworkEvents with crash events.
References (9)
- https://attack.mitre.org/techniques/T1499/004/
- https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html
- https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2015-5477
- https://nvd.nist.gov/vuln/detail/CVE-2015-5374
- https://learn.microsoft.com/en-us/windows/win32/debug/wer-settings
- https://learn.microsoft.com/en-us/windows/win32/debug/minidump-files
- https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1499.004/T1499.004.md
Unlock Pro Content
Get the full detection package for T1499.004 including response playbook, investigation guide, and atomic red team tests.