Event ID 1000 — Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Description
Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Message #
Fields #
| Name | Description |
|---|---|
Faulting_application_name | — |
version | — |
Faulting_module_name | — |
version | — |
Faulting_application_path | — |
Faulting_module_path | — |
Report_Id | — |
Faulting_package_full_name | — |
Faulting_packagerelative_application_ID | — |
Example Event #
{
"system": {
"provider": "Application Error",
"guid": "",
"event_source_name": "",
"event_id": 1000,
"version": 0,
"level": 2,
"task": 100,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2016-08-18T20:11:24.000000Z",
"event_record_id": 1590,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- LSASS Process Crashed - Application source high: Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
- Microsoft Malware Protection Engine Crash source high: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline