Detect Endpoint Denial of Service in Google Chronicle
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting system resources (CPU, memory, disk, network connections) or exploiting the system to cause a persistent crash condition. Unlike network-saturating DDoS, Endpoint DoS targets the application stack layers hosted on the victim system — including OS, web servers, DNS, databases, and web applications. Attackers may use IP spoofing, botnets, or direct tools such as hping3, stress-ng, Apache Bench, and custom scripts to generate floods. Observed threat actors include Sandworm Team (disrupting Georgian government websites) and ZxShell malware (SYN flood capability). This detection covers the execution of known DoS tools, abnormal network connection volume from single processes, and resource exhaustion indicators.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1499 Endpoint Denial of Service
- Canonical reference
- https://attack.mitre.org/techniques/T1499/
YARA-L Detection Query
rule endpoint_dos_tool_execution {
meta:
author = "Argus Detection Engineering"
description = "Detects execution of known Endpoint DoS tools or command patterns associated with MITRE ATT&CK T1499"
severity = "HIGH"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1499"
reference = "https://attack.mitre.org/techniques/T1499/"
created = "2026-04-19"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.principal.process.file.full_path, `(?i)(hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege\.exe|wrk\.exe|wrk2|loic\.exe|hoic\.exe|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos|xerxes|rudy|pyloris|hulk)`) or
re.regex($e.target.process.command_line, `(?i)(--flood|--syn\s|stress\s--cpu|stress-ng\s--cpu|stress-ng\s--vm|stress-ng\s--sock|:\(\)\{\s:\|:|fork bomb|-c\s10000|--concurrency\s5000)`) or
re.regex($e.target.process.file.full_path, `(?i)(hping3|hping\.exe|stress-ng|memtester|ab\.exe|siege\.exe|wrk\.exe|loic\.exe|hoic\.exe|goldeneye|slowloris|torshammer|ncrack|thc-ssl-dos)`)
)
condition:
$e
}
rule endpoint_dos_network_flood {
meta:
author = "Argus Detection Engineering"
description = "Detects abnormal outbound network connection volume from a single process indicating a potential DoS flood attack — T1499"
severity = "HIGH"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1499"
reference = "https://attack.mitre.org/techniques/T1499/"
created = "2026-04-19"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.network.direction = "OUTBOUND"
not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
$hostname = $e.principal.hostname
$proc = $e.principal.process.file.full_path
match:
$hostname, $proc over 10m
outcome:
$connection_count = count_distinct($e.metadata.id)
$unique_dest_ips = count_distinct($e.target.ip)
$unique_dest_ports = count_distinct($e.target.port)
$risk_indicator = array_distinct($e.target.ip)
condition:
#e > 500
}
rule endpoint_dos_process_exhaustion {
meta:
author = "Argus Detection Engineering"
description = "Detects rapid process spawning from a single parent indicative of fork bomb or process exhaustion attack — T1499"
severity = "CRITICAL"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1499"
reference = "https://attack.mitre.org/techniques/T1499/"
created = "2026-04-19"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$parent_proc = $e.principal.process.file.full_path
$hostname = $e.principal.hostname
$child_exe = $e.target.process.file.full_path
match:
$hostname, $parent_proc over 5m
outcome:
$spawn_count = count_distinct($e.metadata.id)
$unique_child_exe = count_distinct($child_exe)
condition:
#e > 200 and $unique_child_exe < 3
}Three Chronicle YARA-L 2.0 rules covering Endpoint Denial of Service (T1499): (1) endpoint_dos_tool_execution matches PROCESS_LAUNCH events where the process file path or command line contains known DoS tool names or flood/stress argument patterns using regex; (2) endpoint_dos_network_flood uses a 10-minute match window to count outbound NETWORK_CONNECTION events per host and process, triggering when a single process exceeds 500 external connections; (3) endpoint_dos_process_exhaustion uses a 5-minute match window to detect rapid child process spawning from a single parent exceeding 200 spawns with fewer than 3 distinct executable names, indicating a fork bomb or process exhaustion attack. All rules include MITRE ATT&CK metadata aligned with the Impact tactic.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testers using hping3 or siege as part of a scoped engagement — process names will match the known tool list without malicious intent
- Network performance monitoring tools or synthetic transaction monitors that generate high outbound connection volumes to external SaaS endpoints for availability checks
- High-concurrency application servers (Erlang/OTP, Go goroutine-heavy services, or Node.js cluster mode) that spawn numerous short-lived processes or threads during normal operation, triggering the spawn count threshold
Other platforms for T1499
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CPU Exhaustion with stress-ng (Linux)
Expected signal: Sysmon for Linux Event ID 1 (Process Create): Image=/usr/bin/stress-ng, CommandLine contains '--cpu 0 --cpu-load 100'. Linux audit log (execve syscall): stress-ng invocation. /proc/loadavg will show load equal to number of CPU cores during test window. System CPU utilization in monitoring tools should spike to 100%.
- Test 2HTTP Flood Simulation with Apache Bench (Windows/Linux)
Expected signal: Sysmon Event ID 1: Image=ab.exe, CommandLine contains '-n 50000 -c 500'. Sysmon Event ID 3: Rapid outbound connections to 127.0.0.1:80. NetworkFlood branch will aggregate these into the 10-minute bucket. Windows Firewall log entries for loopback connections may appear if firewall logging is enabled.
- Test 3SYN Flood Simulation with hping3 (Linux — requires root)
Expected signal: Sysmon for Linux Event ID 1: Image=/usr/sbin/hping3, CommandLine contains '--syn --rand-source --flood'. Linux audit log: execve syscall for hping3 with full arguments. Network statistics: netstat or ss will show spike in SYN connections on the loopback interface. /proc/net/tcp will show many half-open connections.
- Test 4Fork Bomb Execution — Limited Variant (Linux)
Expected signal: Sysmon for Linux Event ID 1: 50+ Process Create events from the same parent bash PID within seconds, all spawning 'sleep' processes. ProcessSpawnExhaustion bucket will accumulate ProcessCount=50+ with UniqueExecutables=1 (sleep). Parent process command line contains the for loop.
References (12)
- https://attack.mitre.org/techniques/T1499/
- https://attack.mitre.org/techniques/T1499/001/
- https://attack.mitre.org/techniques/T1499/002/
- https://attack.mitre.org/techniques/T1499/003/
- https://attack.mitre.org/techniques/T1499/004/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1499/T1499.md
- https://www.cisa.gov/sites/default/files/publications/Understanding-and-Responding-to-Distributed-Denial-of-Service-Attacks.pdf
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf
- https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
Unlock Pro Content
Get the full detection package for T1499 including response playbook, investigation guide, and atomic red team tests.