LSASS Memory Dump Handle Access – poqexec.exe ?
We are seeing SIEM alerts for LSASS Memory Dump Handle Access for the ‘C:WindowsSystem32poqexec.exe’ process (Primitive Operations Queue Executor) on several endpoints with the computer account name.
However, Defender for Endpoint is not picking this up as an alert, nor is the process listed in the device’s timeline.
We are seeing SIEM alerts for LSASS Memory Dump Handle Access for the ‘C:WindowsSystem32poqexec.exe’ process (Primitive Operations Queue Executor) on several endpoints with the computer account name. However, Defender for Endpoint is not picking this up as an alert, nor is the process listed in the device’s timeline.I am not finding much online about poqexec.exe and possible interaction with LSASS and I was hoping to get some insight here.Anyone see this before and can help me validate the behavior? Event/log details:message: “A handle to an object was requested.Subject:Security ID: S-1-5-18Account Name: <computerAccount$>Account Domain: <ourDomain>Object:Object Server: SecurityObject Type: FileObject Name: C:WindowsSystem32lsass.exeHandle ID: 0x70Resource Attributes: -Process Information:Process ID: 0x6fcProcess Name: C:WindowsSystem32poqexec.exeAccess Request Information:Transaction ID: {2801ddbe-0b5e-11ef-9edb-4c3488257915}Accesses: DELETEREAD_CONTROLWRITE_DACWRITE_OWNERSYNCHRONIZEReadData (or ListDirectory)ReadEAReadAttributesWriteAttributesAccess Reasons: -Access Mask: 0x1F0189Privileges Used for Access Check: SeBackupPrivilegeSeRestorePrivilegeRestricted SID Count: 0” Read More