Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Sigma rule (View on GitHub)
1title: Microsoft Malware Protection Engine Crash
2id: 545a5da6-f103-4919-a519-e9aec1026ee4
3related:
4 - id: 6c82cf5c-090d-4d57-9188-533577631108
5 type: similar
6status: test
7description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
8references:
9 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
10 - https://technet.microsoft.com/en-us/library/security/4022344
11author: Florian Roth (Nextron Systems)
12date: 2017-05-09
13modified: 2023-04-14
14tags:
15 - attack.stealth
16 - attack.defense-impairment
17 - attack.t1211
18 - attack.t1685
19logsource:
20 product: windows
21 service: application
22 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
23detection:
24 selection:
25 Provider_Name: 'Application Error'
26 EventID: 1000
27 Data|contains|all:
28 - 'MsMpEng.exe'
29 - 'mpengine.dll'
30 condition: selection
31falsepositives:
32 - MsMpEng might crash if the "C:\" partition is full
33level: high
References
-
Security Update for Microsoft Malware Protection Engine Published: May 8, 2017 | Updated: May 12, 2017 Version: 1.2 Executive Summary Microsoft is releasing this security advisory to inform custome...
Read More
Related rules
- Microsoft Malware Protection Engine Crash - WER
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity
- Filter Driver Unloaded Via Fltmc.EXE