EXPLORE
Sign In
← Back to Explore
sigmahighHunting

LSASS Process Crashed - Application

Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.

MITRE ATT&CK

T1003.001
credential-access

Detection Query

selection:
  Provider_Name: Application Error
  EventID: 1000
  AppName: lsass.exe
  ExceptionCode: c0000001
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-12-07

Data Sources

windowsapplication

Platforms

windows

References

Tags

attack.credential-accessattack.t1003.001
Raw Content
title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        AppName: 'lsass.exe'
        ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
    condition: selection
falsepositives:
    - Rare legitimate crashing of the lsass process
level: high