Detectionhightest

Microsoft Malware Protection Engine Crash

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Tue May 09Updated Fri Apr 14545a5da6-f103-4919-a519-e9aec1026ee4windows

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        Data|contains|all:
            - 'MsMpEng.exe'
            - 'mpengine.dll'
    condition: selection

False Positives

MsMpEng might crash if the "C:\" partition is full

References

Resolving title…

bugs.chromium.org

Resolving title…

technet.microsoft.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1211 · Exploitation for Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

SimilarDetectionhigh

Microsoft Malware Protection Engine Crash - WER

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

545a5da6-f103-4919-a519-e9aec1026ee4

Status

test

Level

high

Type

Detection

Created

Tue May 09

Modified

Fri Apr 14

Author

Florian Roth (Nextron Systems)

Path

rules/windows/builtin/application/application_error/win_application_error_msmpeng_crash.yml

Raw Tags

attack.defense-evasionattack.t1211attack.t1562.001

View on GitHub