Microsoft Malware Protection Engine Crash - WER

 1title: Microsoft Malware Protection Engine Crash - WER
 2id: 6c82cf5c-090d-4d57-9188-533577631108
 3status: test
 4description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
 5references:
 6    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
 7    - https://technet.microsoft.com/en-us/library/security/4022344
 8author: Florian Roth (Nextron Systems)
 9date: 2017/05/09
10modified: 2023/04/14
11tags:
12    - attack.defense_evasion
13    - attack.t1211
14    - attack.t1562.001
15logsource:
16    product: windows
17    service: application
18    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
19detection:
20    selection:
21        Provider_Name: 'Windows Error Reporting'
22        EventID: 1001
23        Data|contains|all:
24            - 'MsMpEng.exe'
25            - 'mpengine.dll'
26    condition: selection
27falsepositives:
28    - MsMpEng might crash if the "C:\" partition is full
29level: high

References

• 1252 - project-zero - Project Zero - Monorail

  About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

  
  Read More

• Microsoft Security Advisory 4022344

  

  Microsoft Security Advisory 4022344 Security Update for Microsoft Malware Protection Engine Published: May 8, 2017 | Updated: May 12, 2017 Version: 1.2 Executive Summary Microsoft is releasing this...

  
  Read More

Related rules

• Microsoft Malware Protection Engine Crash
• HackTool - Stracciatella Execution
• Bitbucket Audit Log Configuration Updated
• Bitbucket Global SSH Settings Changed
• Bitbucket Global Secret Scanning Rule Deleted