T1499.004 Sumo Logic CSE · Sumo

Detect Application or System Exploitation in Sumo Logic CSE

Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.004 Application or System Exploitation
Canonical reference
https://attack.mitre.org/techniques/T1499/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* ("EventCode=1000" OR "EventCode=7034" OR "EventCode=7031")
| parse "EventCode=*" as EventCode nodrop
| parse "Faulting application name: *, version" as FaultingApp nodrop
| parse "Faulting module name: *, version" as FaultingModule nodrop
| parse "Exception code: *" as ExceptionCode nodrop
| parse "The * service terminated unexpectedly" as ServiceName nodrop
| eval EventType = if(EventCode == "1000", "AppCrash",
    if(EventCode == "7034", "ServiceCrashUnexpected",
    if(EventCode == "7031", "ServiceCrashWithRecovery", "Unknown")))
| eval IsExploitException = if(matches(ExceptionCode, "(?i)0xc0000005|0xc000001d|0xc00000fd|0xc0000409|0xc0000374|0x80000003|0xc0000096"), 1, 0)
| eval IsCriticalService = if(
    matches(toLowerCase(FaultingApp), ".*w3wp.*|.*inetinfo.*|.*httpd.*|.*apache.*|.*sqlservr.*|.*named.*|.*mysqld.*|.*postgres.*|.*nginx.*|.*vsftpd.*|.*sshd.*|.*lsass.*|.*spoolsv.*|.*tomcat.*"),
    1, 0)
| where IsExploitException == 1 OR IsCriticalService == 1 OR EventType != "AppCrash"
| timeslice 30m
| count as CrashCount,
  values(ExceptionCode) as ExceptionCodes,
  values(FaultingModule) as FaultingModules,
  values(EventType) as EventTypes,
  max(IsExploitException) as HasExploitException,
  max(IsCriticalService) as IsCritical,
  min(_messageTime) as FirstCrash,
  max(_messageTime) as LastCrash
  by _timeslice, _sourceHost, FaultingApp
| where CrashCount >= 2
| eval CrashIntervalSecs = (LastCrash - FirstCrash) / 1000
| eval RapidReExploitation = if(CrashCount >= 3 AND CrashIntervalSecs <= 1800, "true", "false")
| eval AlertSeverity = if(
    RapidReExploitation == "true" AND HasExploitException == 1, "Critical",
    if(CrashCount >= 5 OR (IsCritical == 1 AND HasExploitException == 1), "High", "Medium"))
| fields _timeslice, _sourceHost, FaultingApp, CrashCount, CrashIntervalSecs, ExceptionCodes, FaultingModules, EventTypes, RapidReExploitation, IsCritical, HasExploitException, AlertSeverity
| sort by CrashCount
high severity high confidence

Detects exploitation-based denial of service in Sumo Logic by parsing Windows Application (Event ID 1000) and System (Event IDs 7031/7034) event logs for repeated crashes of critical service processes or processes crashing with exploit-relevant exception codes. Uses timeslice aggregation to group crashes into 30-minute windows per host and application, then applies threshold logic to classify severity. The _sourceCategory wildcard should be tightened to match the specific Windows log source category configured in your Sumo Logic deployment (e.g., windows/application or prod/windows/events).

Data Sources

Windows Application Event Log (Event ID 1000) via Sumo Logic Installed Collector or OpenTelemetryWindows System Event Log (Event IDs 7031, 7034) for service crash eventsSumo Logic Windows source with _sourceCategory=windows or similar

Required Tables

_sourceCategory=*windows*

False Positives & Tuning

  • CI/CD build agents running integration tests against local service instances (IIS Express, SQL Server LocalDB) where tests deliberately exercise error paths, generating crash events for w3wp.exe or sqlservr.exe within short windows.
  • Windows Defender Application Control (WDAC) or AppLocker policy enforcement blocking process injection into lsass.exe, which may generate access violation exception codes (0xc0000005) as injected DLLs fail to initialize.
  • Database maintenance windows where MySQL or PostgreSQL instances are recycled in rapid succession for schema migrations, generating multiple Event ID 1000 entries for mysqld.exe or postgres.exe with non-exploit exception codes that still match the critical service filter.
Download portable Sigma rule (.yml)

Other platforms for T1499.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Application Crash with Access Violation (Event ID 1000)

    Expected signal: Windows Application Event Log: Event ID 1000 with Source='Application Error', FaultingApp containing 'powershell.exe', ExceptionCode '0xc0000005'. Windows Error Reporting Event ID 1001 may also fire. Sysmon Event ID 1 (Process Create) for the spawned child powershell.exe with the Marshal::ReadInt32 command line, followed by Sysmon Event ID 5 (Process Terminate) with non-zero exit code.

  2. Test 2Service Crash Loop Simulation (Event ID 7034 / Rapid Restart Pattern)

    Expected signal: Windows System Event Log: Event ID 7000 (service failed to start) or 7034 (service terminated unexpectedly) for ArgusTestDoSSvc across three attempts within approximately 10 seconds. Each start attempt will fail and log a separate event. The SCM logs the service name, failure count, and timestamp.

  3. Test 3BIND9 DNS Service Crash Simulation via Malformed TKEY Query (CVE-2015-5477 Pattern)

    Expected signal: On unpatched BIND9: /var/log/syslog or journalctl -u named will show 'named[PID]: INSIST(...)' assertion failure followed by process termination and systemd restart. On patched systems: query will be rejected (REFUSED or NOTAUTH) with no crash. Sysmon for Linux: process execution of dig with TKEY arguments logged via auditd or eBPF sensor.

  4. Test 4Web Server Malformed Request Crash Simulation (Heap Exhaustion / Buffer Overflow Pattern)

    Expected signal: Sysmon Event ID 3 (Network Connection): outbound connections from python3 to localhost:80 logged. If web server is vulnerable: Application Event ID 1000 (Windows) or syslog SIGSEGV for the worker process. Web server access/error logs will show malformed requests. The connection-to-crash temporal correlation (within 5 minutes) activates the hunting query joining DeviceNetworkEvents with crash events.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1499.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion FloodT1499.002Service Exhaustion FloodT1499.003Application Exhaustion Flood

Related Techniques

T1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1489Service StopT1485Data DestructionT1495Firmware CorruptionT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege Escalation

Same Tactic: Impact

Popular Detections