1. Home
  2. Techniques
  3. Enterprise
  4. Endpoint Denial of Service
  5. Application or System Exploitation

Endpoint Denial of Service: Application or System Exploitation

ID Name
T1499.001 OS Exhaustion Flood
T1499.002 Service Exhaustion Flood
T1499.003 Application Exhaustion Flood
T1499.004 Application or System Exploitation

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [1] Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as Data Destruction, Firmware Corruption, Service Stop etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.

ID: T1499.004
Sub-technique of:  T1499
Tactic: Impact
Platforms: IaaS, Linux, Windows, macOS
Impact Type: Availability
Version: 1.3
Created: 20 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0604 Industroyer

Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.[2]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.[3] Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0304 Detection Strategy for Endpoint DoS via Application or System Exploitation AN0850

Exploitation of system or application vulnerability (e.g., CVE-based exploit) followed by service crash, restart, or repeated failure within a short time frame, impacting application/system availability.
AN0851

User or remote input triggers application crash or segmentation fault (e.g., SIGSEGV) with service recovery attempts, observed via audit logs and systemd journaling.
AN0852

Application crash or repeated restart cycle triggered by malformed input or exploit file, observed via unified logs and process crash monitoring.
AN0853

Cloud workload exploitation leads to repeated container, service, or VM termination/restart, typically associated with CVE-based crash triggers or fuzzed payloads.

References

  1. Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019.
  2. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  1. Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019.