Wiki source code of ASR-Regeln: Die Ereignis-ID’s 1121 und 1122 treten in Verbindung mit einer lsass.exe auf und blockieren den Vorgang
Last modified by Jannis Klein on 2024/03/19 17:57
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | {{aagon.priorisierung}} |
| |
4.1 | 2 | 10 |
| |
1.1 | 3 | {{/aagon.priorisierung}} |
| |
5.1 | 4 | |
| |
41.2 | 5 | When the agent service is restarted, the threats or alerts with Event IDs 1121 and 1122 may be triggered on the agent. |
| 6 | These events occur because the ASR rule „[['Block the theft of Windows Local Security Authority credentials'>>doc:ACMP.64.ACMP-Solutions.Security.Defender Management.Konfigurationsprofile.Konfigurationsprofil-Einstellungen.WebHome]]“ intervenes. This rule prevents direct access to LSASS memory by untrusted processes. So if a process tries to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule will block that access. | ||
| |
5.1 | 7 | |
| |
20.1 | 8 | {{figure}} |
| |
6.1 | 9 | (% style="text-align:center" %) |
| |
20.1 | 10 | [[image:ereigniseigenschaften_1121_zoom80.png]] |
| |
18.1 | 11 | |
| |
20.1 | 12 | {{figureCaption}} |
| |
41.2 | 13 | Event properties - Event 1121 |
| |
20.1 | 14 | {{/figureCaption}} |
| 15 | {{/figure}} | ||
| |
5.1 | 16 | |
| |
41.2 | 17 | You can work around this blockage by adding lsass.exe as either an entire directory or file path in //Configuration Profiles// > //ASR Rule Exclusions//. Then select the //Exclude files and paths from ASR rules// checkbox. |