Ad Widget

Collapse

EDR blocking zabbix_agentd.exe for LSASS credential stealing

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • leviu
    Junior Member
    • Nov 2021
    • 5
    #1

    EDR blocking zabbix_agentd.exe for LSASS credential stealing

    Why would (Microsoft Defender for Endpoint) EDR block zabbix_agentd.exe for "LSASS credential stealing"? What does it access that it would trigger this block?
    Defender rule: "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"
    Customer does not have threat hunting (Plan 2) so I cannot view the details of why exactly it blocks it.
    Tags: None
    • landon_l9
      Junior Member
      • Aug 2024
      • 4
      #2
      We are also seeing this with Windows Defender (EventID 1121). Did you ever figure out the cause of this? This is the only post I'm seeing anywhere referencing this behavior.

      Code:
      Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
     ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
     Detection time: 2025-07-21T09:47:07.953Z
     User: NT AUTHORITY\SYSTEM
     Path: C:\Program Files\Zabbix Agent 2\zabbix_agent2.exe
     Process Name: C:\Windows\System32\lsass.exe
     Target Commandline:
     Parent Commandline:
     Involved File:
     Inheritance Flags: 0x00000000
     Security intelligence Version: 1.431.783.0
     Engine Version: 1.1.25050.6
     Product Version: 4.18.25050.5

        Comment

        Previous template Next
        Working...