Detectionhighexperimental
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Dec 07Updated Wed Dec 03a18e0862-127b-43ca-be12-1a542c75c7c5windows
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic1 selector
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selectionFalse Positives
Rare legitimate crashing of the lsass process
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
a18e0862-127b-43ca-be12-1a542c75c7c5
Status
experimental
Level
high
Type
Detection
Created
Wed Dec 07
Modified
Wed Dec 03
Path
rules/windows/builtin/application/application_error/win_application_error_lsass_crash.yml
Raw Tags
attack.credential-accessattack.t1003.001