Wiki source code of ASR-Regeln: Die Ereignis-ID’s 1121 und 1122 treten in Verbindung mit einer lsass.exe auf und blockieren den Vorgang
Last modified by Jannis Klein on 2024/03/19 17:57
Hide last authors
author | version | line-number | content |
---|---|---|---|
1.1 | 1 | {{aagon.priorisierung}} | |
4.1 | 2 | 10 | |
1.1 | 3 | {{/aagon.priorisierung}} | |
5.1 | 4 | ||
41.2 | 5 | When the agent service is restarted, the threats or alerts with Event IDs 1121 and 1122 may be triggered on the agent. | |
6 | These events occur because the ASR rule „[['Block the theft of Windows Local Security Authority credentials'>>doc:ACMP.64.ACMP-Solutions.Security.Defender Management.Konfigurationsprofile.Konfigurationsprofil-Einstellungen.WebHome]]“ intervenes. This rule prevents direct access to LSASS memory by untrusted processes. So if a process tries to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule will block that access. | ||
5.1 | 7 | ||
20.1 | 8 | {{figure}} | |
6.1 | 9 | (% style="text-align:center" %) | |
20.1 | 10 | [[image:ereigniseigenschaften_1121_zoom80.png]] | |
18.1 | 11 | ||
20.1 | 12 | {{figureCaption}} | |
41.2 | 13 | Event properties - Event 1121 | |
20.1 | 14 | {{/figureCaption}} | |
15 | {{/figure}} | ||
5.1 | 16 | ||
41.2 | 17 | You can work around this blockage by adding lsass.exe as either an entire directory or file path in //Configuration Profiles// > //ASR Rule Exclusions//. Then select the //Exclude files and paths from ASR rules// checkbox. |