Microsoft Malware Protection Engine Crash - WER

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Sigma rule (View on GitHub)

 1title: Microsoft Malware Protection Engine Crash - WER
 2id: 6c82cf5c-090d-4d57-9188-533577631108
 3status: test
 4description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
 5references:
 6    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
 7    - https://technet.microsoft.com/en-us/library/security/4022344
 8author: Florian Roth (Nextron Systems)
 9date: 2017-05-09
10modified: 2023-04-14
11tags:
12    - attack.defense-evasion
13    - attack.t1211
14    - attack.t1562.001
15logsource:
16    product: windows
17    service: application
18    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
19detection:
20    selection:
21        Provider_Name: 'Windows Error Reporting'
22        EventID: 1001
23        Data|contains|all:
24            - 'MsMpEng.exe'
25            - 'mpengine.dll'
26    condition: selection
27falsepositives:
28    - MsMpEng might crash if the "C:\" partition is full
29level: high

References

Related rules

to-top