Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Sigma rule (View on GitHub)
1title: Microsoft Malware Protection Engine Crash - WER
2id: 6c82cf5c-090d-4d57-9188-533577631108
3status: test
4description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
5references:
6 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
7 - https://technet.microsoft.com/en-us/library/security/4022344
8author: Florian Roth (Nextron Systems)
9date: 2017-05-09
10modified: 2023-04-14
11tags:
12 - attack.defense-evasion
13 - attack.t1211
14 - attack.t1562.001
15logsource:
16 product: windows
17 service: application
18 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
19detection:
20 selection:
21 Provider_Name: 'Windows Error Reporting'
22 EventID: 1001
23 Data|contains|all:
24 - 'MsMpEng.exe'
25 - 'mpengine.dll'
26 condition: selection
27falsepositives:
28 - MsMpEng might crash if the "C:\" partition is full
29level: high
References
Related rules
- Microsoft Malware Protection Engine Crash
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change