LSASS Process Crashed - Application

calendar Dec 24, 2025 · attack.credential-access attack.t1003.001  ·
Share on: linkedin copy

Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.

Sigma rule (View on GitHub)

 1title: LSASS Process Crashed - Application
 2id: a18e0862-127b-43ca-be12-1a542c75c7c5
 3status: experimental
 4description: |
 5    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
 6    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.    
 7references:
 8    - https://github.com/deepinstinct/Lsass-Shtinkering
 9    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
10    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-12-07
13modified: 2025-12-03
14tags:
15    - attack.credential-access
16    - attack.t1003.001
17logsource:
18    product: windows
19    service: application
20detection:
21    selection:
22        Provider_Name: 'Application Error'
23        EventID: 1000
24        AppName: 'lsass.exe'
25        ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
26    condition: selection
27falsepositives:
28    - Rare legitimate crashing of the lsass process
29level: high

References

  • GitHub - deepinstinct/Lsass-Shtinkering

    Contribute to deepinstinct/Lsass-Shtinkering development by creating an account on GitHub.


    Read More

  • ×¼®Ý´INN6Í<½üÒ³fäyNJ¶ìE.Ó$ææ78ÜtôDFU½ƒddþÆà:*:0kvàÌ|·±ãy"ÖU•bØ€ÉÃþ&{‚ŠÆM#¹ö#0Õötwƒ'ªÕee¥¥ù%%Ú(*†˜SXAxBÞœ9¹yy÷Â6¨YÔ´ãdÏïϽµõÄ©ª…‹ŒýuôÜwßœûígO^¹Ô¸aCå’%š…�óêê!ʪª J5pù¬�ÒRˆÈŠ1ÅÅ...


    Read More

  • [MS-ERREF]: NTSTATUS Values

    By combining the NTSTATUS into a single 32-bit numbering space, the following NTSTATUS values are defined. Most values


    Read More

Related rules

to-top