Forum Discussion
GuruLee
May 08, 2024Brass Contributor
LSASS Memory Dump Handle Access - poqexec.exe ?
We are seeing SIEM alerts for LSASS Memory Dump Handle Access for the 'C:\Windows\System32\poqexec.exe' process (Primitive Operations Queue Executor) on several endpoints with the computer account name.
However, Defender for Endpoint is not picking this up as an alert, nor is the process listed in the device's timeline.
I am not finding much online about poqexec.exe and possible interaction with LSASS and I was hoping to get some insight here.
Anyone see this before and can help me validate the behavior?
Event/log details:
message: "A handle to an object was requested.
Subject:
Security ID: S-1-5-18
Account Name: <computerAccount$>
Account Domain: <ourDomain>
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\lsass.exe
Handle ID: 0x70
Resource Attributes: -
Process Information:
Process ID: 0x6fc
Process Name: C:\Windows\System32\poqexec.exe
Access Request Information:
Transaction ID: {2801ddbe-0b5e-11ef-9edb-4c3488257915}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Access Reasons: -
Access Mask: 0x1F0189
Privileges Used for Access Check: SeBackupPrivilege
SeRestorePrivilege
Restricted SID Count: 0"