Sysmon Crash

Apr 14, 2023 · attack.defense_evasion attack.t1562 ·

Share on:

Detects application popup reporting a failure of the Sysmon service

Sigma rule (View on GitHub)

 1title: Sysmon Crash
 2id: 4d7f1827-1637-4def-8d8a-fd254f9454df
 3status: experimental
 4description: Detects application popup reporting a failure of the Sysmon service
 5author: Tim Shelton
 6date: 2022/04/26
 7tags:
 8    - attack.defense_evasion
 9    - attack.t1562
10logsource:
11    product: windows
12    service: system
13detection:
14    selection:
15        Provider_Name: 'Application Popup'
16        EventID: 26
17        Caption: 'sysmon64.exe - Application Error'
18    condition: selection
19falsepositives:
20    - Unknown
21level: high

Related rules

Terminate Linux Process Via Kill
Filter Driver Unloaded Via Fltmc.EXE
Potential Suspicious Activity Using SeCEdit
Write Protect For Storage Disabled
ETW Logging Tamper In .NET Processes