Detectionhightest

Microsoft Malware Protection Engine Crash - WER

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Tue May 09Updated Fri Apr 146c82cf5c-090d-4d57-9188-533577631108windows

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection:
        Provider_Name: 'Windows Error Reporting'
        EventID: 1001
        Data|contains|all:
            - 'MsMpEng.exe'
            - 'mpengine.dll'
    condition: selection

False Positives

MsMpEng might crash if the "C:\" partition is full

References

Resolving title…

bugs.chromium.org

Resolving title…

technet.microsoft.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1211 · Exploitation for Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Rule Metadata

Rule ID

6c82cf5c-090d-4d57-9188-533577631108

Status

test

Level

high

Type

Detection

Created

Tue May 09

Modified

Fri Apr 14

Author

Florian Roth (Nextron Systems)

Path

rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml

Raw Tags

attack.defense-evasionattack.t1211attack.t1562.001

View on GitHub