Excessive resource exhaustion or service crash induced by processes launched by users or scripts that rapidly consume CPU/memory or attempt malformed service interactions.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Application Log Content (DC0038) | WinEventLog:Application | Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server) |
| Host Status (DC0018) | WinEventLog:System | System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations |
| Field | Description |
|---|---|
| TimeWindow | Number of service crashes or high-CPU events within a defined time period |
| ServiceTarget | Specific service name or executable targeted for DoS (e.g., svchost.exe, w3wp.exe) |
| CPUThresholdPercent | CPU usage percent considered anomalous over duration |
Malicious script or binary causes repeated kernel panics, OOM kills, or systemd service restarts targeting services like nginx, httpd, sshd.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Host Status (DC0018) | linux:syslog | Out of memory killer invoked or kernel panic entries |
| Application Log Content (DC0038) | journald:systemd | Repeated service restart attempts or unit failures |
| Field | Description |
|---|---|
| ServiceName | Targeted daemon/service such as sshd, nginx, mysql |
| RestartThreshold | Number of restarts in short succession to trigger alert |
| OOMKillCount | Count of OOM kills over a time window |
Adversary launches high-entropy process or malformed app bundle causing repeated application crashes and system slowdowns.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console |
| Host Status (DC0018) | macos:unifiedlog | Spike in CPU or memory use from non-user-initiated processes |
| Field | Description |
|---|---|
| CrashCountThreshold | Number of app crashes within monitoring window |
| PayloadEntropyThreshold | Used for high-entropy binaries often observed in DoS malware samples |
Instance enters degraded/unhealthy state due to abnormal process load or memory exhaustion, often caused by automation or script-based attacks.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | AWS:CloudWatch | StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3) |
| Instance Start (DC0080) | AWS:CloudTrail | StartInstances |
| Network Traffic Flow (DC0078) | VPCFlowLogs:All | High volume internal traffic with low entropy indicating looped or malicious DoS script |
| Field | Description |
|---|---|
| InstanceType | Burstable vs compute-optimized instances impact DoS effect |
| FailureThreshold | How many consecutive StatusCheckFailed events to consider critical |
Container orchestrator logs show crashlooping pods, repeated resource exhaustion, or malicious binaries with infinite loops consuming systemd/cgroup limits.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | kubernetes:events | CrashLoopBackOff, OOMKilled, container restart count exceeds threshold |
| Application Log Content (DC0038) | docker:events | Container exited with non-zero code repeatedly in short period |
| Field | Description |
|---|---|
| RestartCountThreshold | Number of container restarts within a time window |
| ContainerImageEntropy | Payload entropy of container image as an anomaly factor |