Sysmon Application Crashed

Aug 12, 2024 · attack.defense-evasion attack.t1562 ·

Detects application popup reporting a failure of the Sysmon service

Sigma rule (View on GitHub)

 1title: Sysmon Application Crashed
 2id: 4d7f1827-1637-4def-8d8a-fd254f9454df
 3status: test
 4description: Detects application popup reporting a failure of the Sysmon service
 5references:
 6    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
 7author: Tim Shelton
 8date: 2022-04-26
 9modified: 2024-01-17
10tags:
11    - attack.defense-evasion
12    - attack.t1562
13logsource:
14    product: windows
15    service: system
16detection:
17    selection:
18        Provider_Name: 'Application Popup'
19        EventID: 26
20        Caption:
21            - 'sysmon64.exe - Application Error'
22            - 'sysmon.exe - Application Error'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

EVTX-ETW-Resources/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application Popup.xml at f1b010ce0ee1b71e3024180de1a3e67f99701fe4 · nasbench/EVTX-ETW-Resources

Event Tracing For Windows (ETW) Resources. Contribute to nasbench/EVTX-ETW-Resources development by creating an account on GitHub.

Read More

Sysmon Application Crashed

Sigma rule (View on GitHub)

References

EVTX-ETW-Resources/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application Popup.xml at f1b010ce0ee1b71e3024180de1a3e67f99701fe4 · nasbench/EVTX-ETW-Resources

Related rules