Wiki source code of ASR-Regeln: Die Ereignis-ID’s 1121 und 1122 treten in Verbindung mit einer lsass.exe auf und blockieren den Vorgang
Last modified by Jannis Klein on 2024/03/19 17:57
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{aagon.priorisierung}} | ||
| 2 | 10 | ||
| 3 | {{/aagon.priorisierung}} | ||
| 4 | |||
| 5 | When the agent service is restarted, the threats or alerts with Event IDs 1121 and 1122 may be triggered on the agent. | ||
| 6 | These events occur because the ASR rule „[['Block the theft of Windows Local Security Authority credentials'>>doc:ACMP.64.ACMP-Solutions.Security.Defender Management.Konfigurationsprofile.Konfigurationsprofil-Einstellungen.WebHome]]“ intervenes. This rule prevents direct access to LSASS memory by untrusted processes. So if a process tries to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule will block that access. | ||
| 7 | |||
| 8 | {{figure}} | ||
| 9 | (% style="text-align:center" %) | ||
| 10 | [[image:ereigniseigenschaften_1121_zoom80.png]] | ||
| 11 | |||
| 12 | {{figureCaption}} | ||
| 13 | Event properties - Event 1121 | ||
| 14 | {{/figureCaption}} | ||
| 15 | {{/figure}} | ||
| 16 | |||
| 17 | You can work around this blockage by adding lsass.exe as either an entire directory or file path in //Configuration Profiles// > //ASR Rule Exclusions//. Then select the //Exclude files and paths from ASR rules// checkbox. |