← Back to Explore
sigmahighHunting
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Detection Query
selection:
Provider_Name: Windows Error Reporting
EventID: 1001
Data|contains|all:
- MsMpEng.exe
- mpengine.dll
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2017-05-09
Data Sources
windowsapplication
Platforms
windows
References
Tags
attack.defense-evasionattack.t1211attack.t1562.001
Raw Content
title: Microsoft Malware Protection Engine Crash - WER
id: 6c82cf5c-090d-4d57-9188-533577631108
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
- attack.defense-evasion
- attack.t1211
- attack.t1562.001
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Windows Error Reporting'
EventID: 1001
Data|contains|all:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: selection
falsepositives:
- MsMpEng might crash if the "C:\" partition is full
level: high