T1499.004 Splunk · SPL

Detect Application or System Exploitation in Splunk

Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.004 Application or System Exploitation
Canonical reference
https://attack.mitre.org/techniques/T1499/004/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="WinEventLog:Application" EventCode=1000) OR (sourcetype="WinEventLog:System" (EventCode=7034 OR EventCode=7031))
| eval EventType=case(
    sourcetype="WinEventLog:Application" AND EventCode=1000, "AppCrash",
    EventCode=7034, "ServiceCrashUnexpected",
    EventCode=7031, "ServiceCrashWithRecovery",
    true(), "Unknown"
)
| eval ExceptionCode=if(EventType="AppCrash",
    trim(replace(mvindex(split(Message, "Exception code: "), 1), "[\r\n].*", "")),
    null())
| eval FaultingApp=if(EventType="AppCrash",
    trim(replace(mvindex(split(Message, "Faulting application name: "), 1), ",.*", "")),
    null())
| eval FaultingModule=if(EventType="AppCrash",
    trim(replace(mvindex(split(Message, "Faulting module name: "), 1), ",.*", "")),
    null())
| eval ServiceName=if(EventType!="AppCrash",
    trim(replace(mvindex(split(Message, "The "), 1), " service (terminated|failed).*", "")),
    null())
| eval IsExploitException=if(match(ExceptionCode, "0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096"), 1, 0)
| eval IsCriticalService=if(match(lower(FaultingApp), "w3wp|inetinfo|httpd|apache|sqlservr|named|mysqld|postgres|nginx|lsass|spoolsv|dns|tomcat"), 1, 0)
| where IsExploitException=1 OR IsCriticalService=1 OR EventType!="AppCrash"
| bin _time span=30m
| stats
    count as CrashCount,
    values(ExceptionCode) as ExceptionCodes,
    values(FaultingModule) as FaultingModules,
    values(EventType) as EventTypes,
    max(IsExploitException) as HasExploitException,
    max(IsCriticalService) as IsCritical,
    earliest(_time) as FirstCrash,
    latest(_time) as LastCrash
    by host, FaultingApp, _time
| eval CrashIntervalSecs=LastCrash-FirstCrash
| eval RapidReExploitation=if(CrashCount>=3 AND CrashIntervalSecs<=1800, 1, 0)
| eval AlertSeverity=case(
    RapidReExploitation=1 AND HasExploitException=1, "Critical",
    CrashCount>=5 OR (IsCritical=1 AND HasExploitException=1), "High",
    true(), "Medium"
)
| where CrashCount>=2
| table FirstCrash, LastCrash, host, FaultingApp, CrashCount, CrashIntervalSecs, ExceptionCodes, FaultingModules, EventTypes, RapidReExploitation, IsCritical, HasExploitException, AlertSeverity
| sort - CrashCount
high severity medium confidence

Detects exploitation-induced crashes using Windows Application (EventCode=1000) and System (EventCode=7034/7031) event logs forwarded to Splunk via Universal Forwarder. Extracts exception codes and faulting application names from the Message field using split/mvindex parsing. Filters for memory corruption exception codes and known critical service names. Groups events into 30-minute windows to detect rapid re-exploitation patterns. The RapidReExploitation flag (3+ crashes within 30 minutes) combined with exploit-relevant exception codes identifies the highest-severity incidents consistent with automated exploitation tools.

Data Sources

Application: Application CrashWindows Event Log: Application (EventCode 1000)Windows Event Log: System (EventCode 7034, 7031)

Required Sourcetypes

WinEventLog:ApplicationWinEventLog:System

False Positives & Tuning

  • Buggy in-house or third-party applications with recurring software defects crashing with access violation exception codes unrelated to external exploitation
  • Memory-constrained or overloaded servers where OOM conditions cause access violation exceptions in application processes
  • Legitimate load testing or fuzzing infrastructure on test systems using intentional crash generation to validate resilience
  • Service restarts during patching windows generating multiple Event ID 7034/7031 entries in short succession
  • Antivirus or EDR product updates causing transient access violations in hooked processes during engine reload
Download portable Sigma rule (.yml)

Other platforms for T1499.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Application Crash with Access Violation (Event ID 1000)

    Expected signal: Windows Application Event Log: Event ID 1000 with Source='Application Error', FaultingApp containing 'powershell.exe', ExceptionCode '0xc0000005'. Windows Error Reporting Event ID 1001 may also fire. Sysmon Event ID 1 (Process Create) for the spawned child powershell.exe with the Marshal::ReadInt32 command line, followed by Sysmon Event ID 5 (Process Terminate) with non-zero exit code.

  2. Test 2Service Crash Loop Simulation (Event ID 7034 / Rapid Restart Pattern)

    Expected signal: Windows System Event Log: Event ID 7000 (service failed to start) or 7034 (service terminated unexpectedly) for ArgusTestDoSSvc across three attempts within approximately 10 seconds. Each start attempt will fail and log a separate event. The SCM logs the service name, failure count, and timestamp.

  3. Test 3BIND9 DNS Service Crash Simulation via Malformed TKEY Query (CVE-2015-5477 Pattern)

    Expected signal: On unpatched BIND9: /var/log/syslog or journalctl -u named will show 'named[PID]: INSIST(...)' assertion failure followed by process termination and systemd restart. On patched systems: query will be rejected (REFUSED or NOTAUTH) with no crash. Sysmon for Linux: process execution of dig with TKEY arguments logged via auditd or eBPF sensor.

  4. Test 4Web Server Malformed Request Crash Simulation (Heap Exhaustion / Buffer Overflow Pattern)

    Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from python3 to localhost:80 logged. If web server is vulnerable: Application Event ID 1000 (Windows) or syslog SIGSEGV for the worker process. Web server access/error logs will show malformed requests. The connection-to-crash temporal correlation (within 5 minutes) activates the hunting query joining DeviceNetworkEvents with crash events.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1499.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion FloodT1499.002Service Exhaustion FloodT1499.003Application Exhaustion Flood

Related Techniques

T1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1489Service StopT1485Data DestructionT1495Firmware CorruptionT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege Escalation

Same Tactic: Impact

Popular Detections