Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0304: Detection Strategy for Endpoint DoS via Application or System Exploitation

DET0304 is a MITRE detection strategy tied to ATT&CK technique T1499.004, Application or System Exploitation: denial of service caused by exploiting softwa...

EnterpriseDET0304Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0304 is a MITRE detection strategy tied to ATT&CK technique T1499.004, Application or System Exploitation: denial of service caused by exploiting software vulnerabilities that crash applications or systems. The business issue is availability, not just intrusion detection. If critical services on Windows, Linux, macOS, or IaaS can be repeatedly crashed, automatic restart alone may not preserve continuity because the same weakness may be re-exploited.

Executive priority

Treat this as an operational resilience and vulnerability-prioritization question: which business-critical applications could be taken offline by a known or zero-day crash condition, and can the organization prove it would notice repeated crashes quickly? Leaders should ask whether SOC monitoring, incident response playbooks, patch/vulnerability management, and service availability reporting are connected well enough to distinguish routine instability from potential adversary-driven DoS behavior.

Technical view

Because the official DET0304 object has no supplied detection text or platform list, defenders should anchor validation to the related technique T1499.004 under the impact tactic, with related platforms Windows, Linux, macOS, and IaaS. SOC and IR teams should test whether they can correlate application/system crashes, service restarts, host health degradation, and vulnerability exposure for critical services. Repeated crashes following similar inputs, requests, or exposure windows should be investigated differently from isolated software faults.

Likely telemetry

  • Application crash reports and core dumps where available
  • Operating system event logs for process termination, kernel or service failures, and unexpected reboots
  • Service manager or supervisor logs showing automatic restarts and restart loops
  • EDR or endpoint telemetry for abnormal process exits and parent/child process context
  • Application access/error logs for externally reachable or business-critical services

Detection direction

  • Validate that crash and restart events are collected from the related platform scope: Windows, Linux, macOS, and IaaS where present in the environment.
  • Correlate repeated application or system crashes with exposure, recent vulnerability findings, application error logs, and availability alerts rather than treating each crash as an isolated reliability issue.
  • Tune for false positives from software defects, resource exhaustion, maintenance activity, failed deployments, and legitimate load spikes.
  • Identify blind spots where availability monitoring exists but is not connected to SOC triage, or where endpoint logs are retained without application-layer context.
  • Escalate patterns suggesting persistent re-exploitation, especially when automatic restarts restore the service briefly before another crash.

Mitigation priorities

  • Prioritize remediation of vulnerabilities in business-critical and externally reachable applications and systems.
  • Ensure patch and exposure management can identify assets where a crash vulnerability would create material downtime.
  • Harden service supervision and recovery, but do not rely on automatic restart as the only control for re-exploitable crash conditions.
  • Maintain incident response procedures for availability-impacting events, including evidence preservation from crash artifacts and application logs.
  • Use resilience measures such as redundancy, health checks, and operational failover planning where local architecture and business criticality justify them.
Analyst notes and limits

This take is based on the DET0304 detection strategy object and its relationship to T1499.004. The detection strategy itself does not include an official description, detection logic, tactics, or platforms; the technical scope comes from the related ATT&CK technique description and relationship context.

Local applicability depends on the organization’s actual operating systems, IaaS usage, critical applications, logging depth, and vulnerability management data. No claim is made that this behavior is currently active, attributed to any actor, or covered by existing tools.

Official MITRE ATT&CK definition

Detection Strategy for Endpoint DoS via Application or System Exploitation

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1499.004 Application or System Exploitation Sub-technique This object detects Application or System Exploitation.
Relationship explorer

All related ATT&CK context

detects · Technique T1499.004: Application or System Exploitation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5d0edacd05c23d27...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5d0edacd05c2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0304
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use