ASR rules: Event IDs 1121 and 1122 occur with lsass.exe and block the operation
Last modified by Jannis Klein on 2024/03/19 17:57
When the agent service is restarted, the threats or alerts with Event IDs 1121 and 1122 may be triggered on the agent.
These events occur because the ASR rule „'Block the theft of Windows Local Security Authority credentials'“ intervenes. This rule prevents direct access to LSASS memory by untrusted processes. So if a process tries to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule will block that access.
You can work around this blockage by adding lsass.exe as either an entire directory or file path in Configuration Profiles > ASR Rule Exclusions. Then select the Exclude files and paths from ASR rules checkbox.