title: Application or System Exploitation (T1499.004)
id: df00tech-t1499-004
status: experimental
description: "Adversaries may exploit software vulnerabilities to crash applications or systems, denying availability to users. Unlike resource exhaustion or flooding techniques, exploitation-based DoS leverages logic flaws or memory corruption bugs (buffer overflows, use-after-free, integer overflows, protocol violations) to trigger unhandled exceptions, assertion failures, or kernel panics. Critical services including DNS servers (BIND9 CVE-2015-5477), web servers, databases, and ICS/SCADA devices (Siemens SIPROTEC CVE-2015-5374 exploited by Industroyer/CRASHOVERRIDE) are common targets. Auto-restart mechanisms may restore crashed services, enabling adversaries to repeatedly re-exploit for persistent denial of service. Crash-induced conditions may cascade into data destruction, firmware corruption, or full service stop outcomes."
references:
  - https://attack.mitre.org/techniques/T1499/004/
  - https://df00tech.com/detections/T1499.004
author: df00tech
date: 2026/04/19
tags:
  - attack.t1499.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Buggy in-house or third-party applications with recurring software defects that crash with access violation exceptions unrelated to exploitation
  - Memory-constrained or heavily loaded servers where OOM conditions cause access violation exceptions in critical processes
  - Legitimate load testing or fuzzing pipelines on non-production systems that intentionally generate crash events as part of resilience testing
  - "Windows software updates or in-place upgrades that transiently crash services, generating multiple Event ID 1000 entries during the update window"
  - Antivirus or EDR hooking conflicts that cause access violations in monitored processes during signature updates or engine upgrades
level: high