1. Home
  2. ATT&CK Techniques
  3. T1499.004 Application or System Exploitation

T1499.004 Application or System Exploitation

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as Data Destruction, Firmware Corruption, Service Stop etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.CM-01.02 Network traffic volume monitoring Mitigates T1499.004 Application or System Exploitation
Comments
This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that exploit software vulnerabilities that can cause crashing of a system or application. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
References
    PR.IR-04.02 Availability and capacity management Mitigates T1499.004 Application or System Exploitation
    Comments
    This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
    References
      PR.IR-01.03 Network communications integrity and availability Mitigates T1499.004 Application or System Exploitation
      Comments
      This diagnostic statement protects against Application or System Exploitation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
      References
        PR.PS-01.08 End-user device protection Mitigates T1499.004 Application or System Exploitation
        Comments
        This diagnostic statement protects against Application or System Exploitation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
        References

          NIST 800-53 Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CA-07 Continuous Monitoring mitigates T1499.004 Application or System Exploitation
          CM-06 Configuration Settings mitigates T1499.004 Application or System Exploitation
          SI-10 Information Input Validation mitigates T1499.004 Application or System Exploitation
          SI-15 Information Output Filtering mitigates T1499.004 Application or System Exploitation
          CM-07 Least Functionality mitigates T1499.004 Application or System Exploitation
          SI-04 System Monitoring mitigates T1499.004 Application or System Exploitation
          AC-03 Access Enforcement mitigates T1499.004 Application or System Exploitation
          AC-04 Information Flow Enforcement mitigates T1499.004 Application or System Exploitation
          SC-07 Boundary Protection mitigates T1499.004 Application or System Exploitation

          Known Exploited Vulnerabilities Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          CVE-2015-3043 Adobe Flash Player Memory Corruption Vulnerability primary_impact T1499.004 Application or System Exploitation
          Comments
          This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system.
          References
          1. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/4073/adobe-flash-player-memory-corruption-vulnerability-cve-2015-3043
          CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability secondary_impact T1499.004 Application or System Exploitation
          Comments
          Out of bounds write exists in FreeType that has been exploited through malicious font files, causing the application to crash.
          References
          1. https://github.com/zhuowei/CVE-2025-27363-proof-of-concept; https://www.helpnetsecurity.com/2025/05/07/actively-exploited-freetype-flaw-fixed-in-android-cve-2025-27363/

          VERIS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          action.hacking.variety.DoS Denial of service related-to T1499.004 Application or System Exploitation
          action.malware.variety.DoS DoS attack related-to T1499.004 Application or System Exploitation
          attribute.availability.variety.Degradation Performance degradation related-to T1499.004 Application or System Exploitation
          attribute.availability.variety.Loss Loss related-to T1499.004 Application or System Exploitation

          Azure Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          azure_private_link Azure Private Link technique_scores T1499.004 Application or System Exploitation
          Comments
          This control can protect against endpoint denial of service attacks.
          References
          1. https://learn.microsoft.com/en-us/azure/private-link/private-link-overview
          azure_update_manager Azure Update Manager technique_scores T1499.004 Application or System Exploitation
          Comments
          This control provides significant protection against Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.
          References
          1. https://learn.microsoft.com/en-us/azure/update-manager/workflow-update-manager

          AWS Mappings

          Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
          aws_config AWS Config technique_scores T1499.004 Application or System Exploitation
          Comments
          The "elb-cross-zone-load-balancing-enabled" managed rule can verify that load balancing is properly configured, which can mitigate adversaries' ability to perform Denial of Service (DoS) attacks and impact resource availability. "cloudfront-origin-failover-enabled" can verify that failover policies are in place to increase CloudFront content availability. Coverage factor is minimal for these rules, since they are specific to a subset of the available AWS services, resulting in an overall score of Minimal.
          References