Home/CVE-2023-23958/Sigma rules
Sigma

Sigma rules for CVE-2023-23958

2 rules · scoped to cve · back to CVE-2023-23958
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct high
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
status test author Florian Roth (Nextron Systems) id 545a5da6-f103-4919-a519-e9aec1026ee4 license Sigma · DRL-1.1
view Sigma YAML 
title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
    - id: 6c82cf5c-090d-4d57-9188-533577631108
      type: similar
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
    - https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1211
    - attack.t1685
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        Data|contains|all:
            - 'MsMpEng.exe'
            - 'mpengine.dll'
    condition: selection
falsepositives:
    - MsMpEng might crash if the "C:\" partition is full
level: high
direct high
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
status test author Florian Roth (Nextron Systems) id 6c82cf5c-090d-4d57-9188-533577631108 license Sigma · DRL-1.1
view Sigma YAML 
title: Microsoft Malware Protection Engine Crash - WER
id: 6c82cf5c-090d-4d57-9188-533577631108
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
    - https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1211
    - attack.t1685
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'Windows Error Reporting'
        EventID: 1001
        Data|contains|all:
            - 'MsMpEng.exe'
            - 'mpengine.dll'
    condition: selection
falsepositives:
    - MsMpEng might crash if the "C:\" partition is full
level: high
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin