Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Sigma rule (View on GitHub)
1title: Microsoft Malware Protection Engine Crash
2id: 545a5da6-f103-4919-a519-e9aec1026ee4
3related:
4 - id: 6c82cf5c-090d-4d57-9188-533577631108
5 type: similar
6status: test
7description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
8references:
9 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
10 - https://technet.microsoft.com/en-us/library/security/4022344
11author: Florian Roth (Nextron Systems)
12date: 2017-05-09
13modified: 2023-04-14
14tags:
15 - attack.defense-evasion
16 - attack.t1211
17 - attack.t1562.001
18logsource:
19 product: windows
20 service: application
21 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
22detection:
23 selection:
24 Provider_Name: 'Application Error'
25 EventID: 1000
26 Data|contains|all:
27 - 'MsMpEng.exe'
28 - 'mpengine.dll'
29 condition: selection
30falsepositives:
31 - MsMpEng might crash if the "C:\" partition is full
32level: high
References
-
Microsoft Security Advisory 4022344 Security Update for Microsoft Malware Protection Engine Published: May 8, 2017 | Updated: May 12, 2017 Version: 1.2 Executive Summary Microsoft is releasing this...
Read More
Related rules
- Microsoft Malware Protection Engine Crash - WER
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change