ASR rules: Event IDs 1121 and 1122 occur with lsass.exe and block the operation

Last modified by Jannis Klein on 2024/08/13 08:20

When the agent service is restarted, the threats or alerts with Event IDs 1121 and 1122 may be triggered on the agent.
These events occur because the ASR rule „'Block the theft of Windows Local Security Authority credentials'“ intervenes. This rule prevents direct access to LSASS memory by untrusted processes. So if a process tries to access LSASS using the OpenProcess() function with PROCESS_VM_READ permissions, the ASR rule will block that access.

ereigniseigenschaften_1121_zoom80.png

Event properties - Event 1121

You can work around this blockage by adding lsass.exe as either an entire directory or file path in Configuration Profiles > ASR Rule Exclusions. Then select the Exclude files and paths from ASR rules checkbox.

© Aagon GmbH 2024
Besuchen Sie unsere neue Aagon-Community