T1499.004: Application or System Exploitation
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [1] Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.
Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as Data Destruction, Firmware Corruption, Service Stop etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.
Analyst context for executives and security teams
Application or System Exploitation is an availability-risk behavior: an adversary abuses a software flaw to crash an application, host, or dependent service. For leaders, the key issue is not only whether systems restart, but whether they can be repeatedly crashed into a persistent denial-of-service condition affecting user access, business operations, or critical services.
Executive priority
Treat this as a business continuity and resilience control question for Windows, Linux, macOS, and IaaS-hosted services. Ask which externally reachable or mission-critical applications could be taken offline by a crash condition, whether restart automation would actually restore service, and whether SOC/IR teams can distinguish repeated exploitation-driven crashes from normal instability. The relationship to Endpoint Denial of Service and the listed Industroyer software relationship also make this relevant for organizations with cyber-physical or industrial dependencies, without assuming exposure in any specific environment.
Technical view
This sub-technique sits under Endpoint Denial of Service in the Impact tactic. Because ATT&CK provides no official detection text for this object, defenders should validate coverage around crash, restart, and availability signals rather than rely on a single signature. For Windows, Linux, macOS, and IaaS, confirm that application errors, service termination/restart events, kernel or system crash indicators, network traffic to affected services, and availability monitoring can be correlated. Use the related DET0304 detection-strategy context as a prompt to test endpoint DoS detection logic, and use the M1037 Filter Network Traffic relationship to review whether ingress, egress, and lateral filtering reduces exposure to crash-triggering traffic.
Likely telemetry
- Application crash logs and error reports
- Operating system event logs, syslog, kernel logs, and panic/crash indicators
- Service manager or daemon restart events
- Endpoint monitoring showing process termination, repeated restarts, or host instability
- Network traffic records to public-facing and internal services, including allowed and denied connections
Detection direction
- Validate alerting for repeated crashes or restart loops affecting the same application, service, or host.
- Correlate crash timing with inbound or lateral network activity rather than treating application instability as purely operational noise.
- Tune carefully for false positives from faulty releases, configuration changes, resource exhaustion, or planned maintenance.
- Prioritize monitoring for critical services and dependencies such as websites, email, DNS, and web-based applications as described in the parent Endpoint DoS context.
- Where DET0304 is available to the team, map its logic to local telemetry sources and test whether it detects exploitation-driven endpoint DoS symptoms across supported platforms.
Mitigation priorities
- Start with exposure reduction: apply ingress filtering so only authorized sources can reach public-facing or sensitive services where appropriate, consistent with M1037.
- Review egress and lateral filtering so internal systems cannot freely trigger vulnerable services across the environment.
- For known vulnerable software, prioritize remediation based on business criticality, external exposure, and dependency impact.
- Do not rely solely on automatic service restart; validate whether repeated crashes can create a persistent denial-of-service condition.
- Ensure incident response playbooks include service isolation, traffic filtering changes, dependency triage, and evidence preservation for crash and network data.
Analyst notes and limits
The supplied ATT&CK object is focused on availability loss from exploiting software vulnerabilities. The official detection field is not provided, so this take emphasizes validation of telemetry and control coverage rather than claiming a specific analytic. The Sucuri BIND9 reference supports the general pattern of vulnerability-triggered DoS, and the Industroyer relationship supports relevance to ICS impact scenarios at a high level.
This assessment does not identify specific vulnerabilities, affected products, exploit procedures, or guaranteed detections. Local asset inventory, exposure data, patch state, service criticality, and telemetry availability are required to determine actual risk and coverage.
Application or System Exploitation
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. [1] Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.
Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as Data Destruction, Firmware Corruption, Service Stop etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1499 | Endpoint Denial of Service | This object subtechnique of Endpoint Denial of Service. |
Groups, software, and campaigns
S0604: Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 98a866ec1cd3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sucuri BIND9 August 2015
Cid, D.. (2015, August 2). BIND9 – Denial of Service Exploit in the Wild. Retrieved April 26, 2019.
Open source URL -
[2]
mitre-attack T1499.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.