Skip to content
Threat Feed
high advisory

Suspicious Process Terminating LSASS Process

Detection of a process attempting to terminate the Lsass.exe process, indicating a potential attempt to perform credential dumping, privilege escalation, or evasion of security policies.

This analytic detects a suspicious process attempting to terminate the Lsass.exe process. This is based on identifying processes being granted PROCESS_TERMINATE access to Lsass.exe, which is a critical process responsible for enforcing security policies and handling user credentials. Attackers may attempt to terminate the LSASS process to disable security policies or dump credentials. The initial report stems from ESplunk ESCU detections as of 2026-05-05. Successful termination of LSASS can lead to unauthorized access and persistence within the environment.

Attack Chain

  1. An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
  2. The attacker escalates privileges to obtain the necessary permissions to interact with the LSASS process.
  3. The attacker uses a malicious process to request the PROCESS_TERMINATE right on the LSASS process.
  4. Sysmon logs EventCode 10, recording the process requesting PROCESS_TERMINATE access to lsass.exe.
  5. The malicious process successfully terminates the LSASS process.
  6. The operating system may crash or become unstable due to the termination of a critical system process.
  7. The attacker may attempt to dump credentials or perform other malicious activities with the security policies disabled.
  8. The attacker achieves their objective, such as gaining unauthorized access, stealing sensitive data, or establishing persistence.

Impact

Successful termination of the LSASS process can have severe consequences, including system instability, data loss, and unauthorized access to sensitive information. Attackers can leverage this to perform credential dumping, gain elevated privileges, and evade security policies. While the exact number of victims is not specified, the potential impact spans across organizations that rely on Windows-based systems for their operations.

Recommendation

  • Enable Sysmon EventCode 10 logging to detect processes granted PROCESS_TERMINATE access to lsass.exe.
  • Deploy the Sigma rule Detect LSASS Process Termination Attempt to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule and determine the root cause of the LSASS process termination.
  • Review access controls and permissions to limit the ability of unauthorized processes to interact with LSASS.
  • Monitor systems for unusual process behavior and investigate any suspicious activity promptly.

Detection coverage 2

Detect LSASS Process Termination Attempt

high

Detects a process attempting to terminate the LSASS process by monitoring Sysmon Event ID 10 for PROCESS_TERMINATE access.

sigma tactics: credential_access, defense_evasion, privilege_escalation sources: process_creation, windows

Suspicious Process Accessing LSASS

medium

Detects a suspicious process attempting to access LSASS.exe.

sigma tactics: credential_access, defense_evasion, privilege_escalation sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →