Detectionhightest

Sysmon Application Crashed

Detects application popup reporting a failure of the Sysmon service

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim SheltonCreated Tue Apr 26Updated Wed Jan 174d7f1827-1637-4def-8d8a-fd254f9454dfwindows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: 'Application Popup'
        EventID: 26
        Caption:
            - 'sysmon64.exe - Application Error'
            - 'sysmon.exe - Application Error'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1562 · Impair Defenses

Rule Metadata

Rule ID

4d7f1827-1637-4def-8d8a-fd254f9454df

Status

test

Level

high

Type

Detection

Created

Tue Apr 26

Modified

Wed Jan 17

Author

Tim Shelton

Path

rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml

Raw Tags

attack.defense-evasionattack.t1562

View on GitHub