Exploitation of system or application vulnerability (e.g., CVE-based exploit) followed by service crash, restart, or repeated failure within a short time frame, impacting application/system availability.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | WinEventLog:Application | EventCode=1000, 1001, 1002 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7031, 7034 |
| Field | Description |
|---|---|
| TimeWindow | Time window between repeated service crashes or restarts (e.g., 5 crashes within 1 hour) |
| TargetApplication | Critical applications to monitor based on environment (e.g., web server, database, VPN) |
User or remote input triggers application crash or segmentation fault (e.g., SIGSEGV) with service recovery attempts, observed via audit logs and systemd journaling.
| Data Component | Name | Channel |
|---|---|---|
| Process Termination (DC0033) | auditd:SYSCALL | Process segfault or abnormal termination after invoking vulnerable syscall sequence |
| Application Log Content (DC0038) | journald:Application | Segfault or crash log entry associated with specific application binary |
| Network Traffic Content (DC0085) | NSM:Flow | Unusual request pattern leading up to service crash (e.g., malformed or oversized payload) |
| Field | Description |
|---|---|
| CrashPattern | Specific binary fault signature or stack trace identifiers unique to the application context |
| ExploitSourceIP | Suspect source IPs for correlation across requests and service failure timing |
Application crash or repeated restart cycle triggered by malformed input or exploit file, observed via unified logs and process crash monitoring.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Crash log entries for a process receiving malformed input or known exploit patterns |
| Process Creation (DC0032) | macos:unifiedlog | Unusual child process tree indicating attempted recovery after crash |
| Field | Description |
|---|---|
| CrashSignature | Binary crash hash or affected dylib for distinguishing malicious faults from benign ones |
| InputVector | File, IPC, or network-based input that may be triggering exploitation (e.g., PDF file, POST request) |
Cloud workload exploitation leads to repeated container, service, or VM termination/restart, typically associated with CVE-based crash triggers or fuzzed payloads.
| Data Component | Name | Channel |
|---|---|---|
| Instance Stop (DC0089) | AWS:CloudTrail | TerminateInstances |
| Application Log Content (DC0038) | AWS:CloudWatch | Repeated crash pattern within container or instance logs |
| Network Traffic Content (DC0085) | AWS:VPCFlowLogs | Large volume of malformed or synthetic payloads to application endpoints prior to failure |
| Field | Description |
|---|---|
| CrashThreshold | Number of repeated crashes or terminations observed before triggering alert |
| ServiceID | Cloud service name, workload, or container ID to scope alerting |