rare legitimate crashing of the lsass process

t1003
t1003.001
windows
sigma

Techniques

t1003
t1003.001

Sample rules

LSASS Process Crashed - Application

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.

Detection logic

condition: selection
selection:
  AppName: lsass.exe
  EventID: 1000
  ExceptionCode: c0000001
  Provider_Name: Application Error