Sysmon Application Crashed

Detects application popup reporting a failure of the Sysmon service

Sigma rule (View on GitHub)

 1title: Sysmon Application Crashed
 2id: 4d7f1827-1637-4def-8d8a-fd254f9454df
 3status: test
 4description: Detects application popup reporting a failure of the Sysmon service
 5references:
 6    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
 7author: Tim Shelton
 8date: 2022/04/26
 9modified: 2024/01/17
10tags:
11    - attack.defense_evasion
12    - attack.t1562
13logsource:
14    product: windows
15    service: system
16detection:
17    selection:
18        Provider_Name: 'Application Popup'
19        EventID: 26
20        Caption:
21            - 'sysmon64.exe - Application Error'
22            - 'sysmon.exe - Application Error'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top