T1499 Splunk · SPL

Detect Endpoint Denial of Service in Splunk

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting system resources (CPU, memory, disk, network connections) or exploiting the system to cause a persistent crash condition. Unlike network-saturating DDoS, Endpoint DoS targets the application stack layers hosted on the victim system — including OS, web servers, DNS, databases, and web applications. Attackers may use IP spoofing, botnets, or direct tools such as hping3, stress-ng, Apache Bench, and custom scripts to generate floods. Observed threat actors include Sandworm Team (disrupting Georgian government websites) and ZxShell malware (SYN flood capability). This detection covers the execution of known DoS tools, abnormal network connection volume from single processes, and resource exhaustion indicators.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Canonical reference
https://attack.mitre.org/techniques/T1499/

SPL Detection Query

Splunk (SPL)
spl 
| union
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    Image="*\\hping3.exe" OR Image="*\\hping.exe" OR Image="*\\stress-ng.exe"
    OR Image="*\\ab.exe" OR Image="*\\siege.exe" OR Image="*\\wrk.exe"
    OR Image="*\\loic.exe" OR Image="*\\hoic.exe" OR Image="*\\goldeneye.py"
    OR CommandLine="*--flood*" OR CommandLine="*--syn*"
    OR CommandLine="*stress --cpu*" OR CommandLine="*stress-ng --cpu*"
    OR CommandLine="*stress-ng --vm*" OR CommandLine="*stress-ng --sock*"
    OR CommandLine="*-c 10000*" OR CommandLine="*--concurrency 5000*"
    OR CommandLine="*:(){ :|:*"
  )
  | eval DetectionType="KnownDoSTool"
  | eval RiskIndicator=mvappend(Image, CommandLine)
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, RiskIndicator
)
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
  | bucket span=10m _time
  | stats
      count as ConnectionCount,
      dc(DestinationIp) as UniqueDestIPs,
      dc(DestinationPort) as UniqueDestPorts,
      values(DestinationPort) as Ports
    by _time, host, User, Image, CommandLine
  | where ConnectionCount > 500
  | eval DetectionType="NetworkFlood"
  | eval RiskIndicator="ConnectionCount=".ConnectionCount." UniqueIPs=".UniqueDestIPs
  | table _time, host, User, Image, CommandLine, ConnectionCount, UniqueDestIPs, UniqueDestPorts, Ports, DetectionType, RiskIndicator
)
(
  index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | bucket span=5m _time
  | stats
      count as ProcessCount,
      dc(Image) as UniqueExecutables,
      values(Image) as SpawnedImages
    by _time, host, User, ParentImage, ParentCommandLine
  | where ProcessCount > 200 AND UniqueExecutables < 3
  | eval DetectionType="ProcessSpawnExhaustion"
  | eval RiskIndicator="ProcessCount=".ProcessCount." UniqueExe=".UniqueExecutables
  | table _time, host, User, ParentImage, ParentCommandLine, ProcessCount, UniqueExecutables, SpawnedImages, DetectionType, RiskIndicator
)
| sort - _time
high severity medium confidence

Multi-signal Splunk detection for Endpoint DoS using three correlated search branches unioned into a single result set. Branch 1 uses Sysmon Event ID 1 (Process Create) to identify known DoS tool execution by image name and command-line patterns including flood flags, stress tool parameters, and high-concurrency invocations. Branch 2 uses Sysmon Event ID 3 (Network Connection) to bucket external outbound connections in 10-minute windows and flag any process generating more than 500 connections to external IPs. Branch 3 uses Sysmon Event ID 1 to detect fork bomb or process exhaustion: a single parent process spawning more than 200 children using fewer than 3 unique executables within a 5-minute window. The DetectionType field in results identifies which signal fired for analyst triage.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationSysmon Event ID 1Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Performance testing teams running Apache Bench (ab), wrk, or siege against internal load balancers or staging environments during authorized load tests
  • Site reliability engineers running stress-ng or stress on Linux servers to validate autoscaling under controlled conditions
  • Security teams using hping3 for legitimate network diagnostic or firewall rule testing
  • High-throughput legitimate services that maintain large persistent connection pools (CDN proxies, streaming servers)
  • CI/CD pipeline jobs that spawn many short-lived processes in rapid succession during build phases
Download portable Sigma rule (.yml)

Other platforms for T1499

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CPU Exhaustion with stress-ng (Linux)

    Expected signal: Sysmon for Linux Event ID 1 (Process Create): Image=/usr/bin/stress-ng, CommandLine contains '--cpu 0 --cpu-load 100'. Linux audit log (execve syscall): stress-ng invocation. /proc/loadavg will show load equal to number of CPU cores during test window. System CPU utilization in monitoring tools should spike to 100%.

  2. Test 2HTTP Flood Simulation with Apache Bench (Windows/Linux)

    Expected signal: Sysmon Event ID 1: Image=ab.exe, CommandLine contains '-n 50000 -c 500'. Sysmon Event ID 3: Rapid outbound connections to 127.0.0.1:80. NetworkFlood branch will aggregate these into the 10-minute bucket. Windows Firewall log entries for loopback connections may appear if firewall logging is enabled.

  3. Test 3SYN Flood Simulation with hping3 (Linux — requires root)

    Expected signal: Sysmon for Linux Event ID 1: Image=/usr/sbin/hping3, CommandLine contains '--syn --rand-source --flood'. Linux audit log: execve syscall for hping3 with full arguments. Network statistics: netstat or ss will show spike in SYN connections on the loopback interface. /proc/net/tcp will show many half-open connections.

  4. Test 4Fork Bomb Execution — Limited Variant (Linux)

    Expected signal: Sysmon for Linux Event ID 1: 50+ Process Create events from the same parent bash PID within seconds, all spawning 'sleep' processes. ProcessSpawnExhaustion bucket will accumulate ProcessCount=50+ with UniqueExecutables=1 (sleep). Parent process command line contains the for loop.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1499 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1499.001OS Exhaustion FloodT1499.002Service Exhaustion FloodT1499.003Application Exhaustion FloodT1499.004Application or System ExploitationT1498Network Denial of ServiceT1489Service StopT1485Data DestructionT1496Resource HijackingT1059Command and Scripting InterpreterT1105Ingress Tool Transfer

Same Tactic: Impact

Popular Detections