Changes for page ASR-Regeln: Die Ereignis-ID’s 1121 und 1122 treten in Verbindung mit einer lsass.exe auf und blockieren den Vorgang
Last modified by Jannis Klein on 2024/03/19 17:57
edited by Jannis Klein
on 2024/03/19 17:57
on 2024/03/19 17:57
Change comment:
Renamed from xwiki:64.ACMP-Solutions.Security.Defender Management.Use Cases für Defender Management.ASR-Regeln\: Die Ereignis-ID’s 1121 und 1122 treten in Verbindung mit einer lsass\.exe auf und blockieren den Vorgang.WebHome
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Author
-
... ... @@ -1,1 +1,1 @@ 1 -XWiki. SVelibeyoglu1 +XWiki.jklein - Content
-
... ... @@ -3,7 +3,7 @@ 3 3 {{/aagon.priorisierung}} 4 4 5 5 When the agent service is restarted, the threats or alerts with Event IDs 1121 and 1122 may be triggered on the agent. 6 -These events occur because the ASR rule „[['Block the theft of Windows Local Security Authority credentials'>>doc:64.ACMP-Solutions.Security.Defender Management.Konfigurationsprofile.Konfigurationsprofil-Einstellungen.WebHome]]“ intervenes. This rule prevents direct access to LSASS memory by untrusted processes. So if a process tries to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule will block that access. 6 +These events occur because the ASR rule „[['Block the theft of Windows Local Security Authority credentials'>>doc:ACMP.64.ACMP-Solutions.Security.Defender Management.Konfigurationsprofile.Konfigurationsprofil-Einstellungen.WebHome]]“ intervenes. This rule prevents direct access to LSASS memory by untrusted processes. So if a process tries to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule will block that access. 7 7 8 8 {{figure}} 9 9 (% style="text-align:center" %)