title: Endpoint Denial of Service (T1499)
id: df00tech-t1499
status: experimental
description: "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting system resources (CPU, memory, disk, network connections) or exploiting the system to cause a persistent crash condition. Unlike network-saturating DDoS, Endpoint DoS targets the application stack layers hosted on the victim system — including OS, web servers, DNS, databases, and web applications. Attackers may use IP spoofing, botnets, or direct tools such as hping3, stress-ng, Apache Bench, and custom scripts to generate floods. Observed threat actors include Sandworm Team (disrupting Georgian government websites) and ZxShell malware (SYN flood capability). This detection covers the execution of known DoS tools, abnormal network connection volume from single processes, and resource exhaustion indicators."
references:
  - https://attack.mitre.org/techniques/T1499/
  - https://df00tech.com/detections/T1499
author: df00tech
date: 2026/04/19
tags:
  - attack.t1499
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Performance testing teams running Apache Bench (ab), wrk, or siege against internal load balancers or staging environments during authorized load tests"
  - Site reliability engineers running stress-ng or stress on Linux servers to validate autoscaling or hardware under controlled conditions
  - Security teams using hping3 for legitimate network diagnostic or firewall rule testing in authorized environments
  - "High-throughput legitimate services (CDN proxies, load balancers, streaming servers) that maintain large persistent connection pools"
  - Deployment automation or CI/CD pipeline jobs that spawn many short-lived processes in rapid succession during build or test phases
level: high