Microsoft Malware Protection Engine Crash - WER

Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1211 attack.t1685 ·

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Sigma rule (View on GitHub)

 1title: Microsoft Malware Protection Engine Crash - WER
 2id: 6c82cf5c-090d-4d57-9188-533577631108
 3status: test
 4description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
 5references:
 6    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
 7    - https://technet.microsoft.com/en-us/library/security/4022344
 8author: Florian Roth (Nextron Systems)
 9date: 2017-05-09
10modified: 2023-04-14
11tags:
12    - attack.stealth
13    - attack.defense-impairment
14    - attack.t1211
15    - attack.t1685
16logsource:
17    product: windows
18    service: application
19    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
20detection:
21    selection:
22        Provider_Name: 'Windows Error Reporting'
23        EventID: 1001
24        Data|contains|all:
25            - 'MsMpEng.exe'
26            - 'mpengine.dll'
27    condition: selection
28falsepositives:
29    - MsMpEng might crash if the "C:\" partition is full
30level: high

Microsoft Malware Protection Engine Crash - WER

Sigma rule (View on GitHub)

References

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

https://technet.microsoft.com/en-us/library/security/4022344

Related rules