Prevent LSASS.exe Process Cloning

AndyMuschlewski · April 10, 2025, 10:38pm

What is a one sentence summary of your feature request?

Add the ability to prevent LSASS.exe process cloning on Domain Controllers

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Process cloning is a potential way malicious actors can circumvent LSASS Guardian and other protections on the LSASS process. If Threat Prevention had the ability to prevent process cloning or the ability to protect the cloned LSASS process, this would stop attackers in their tracks.

How do you currently solve the challenges you have by not having this feature?

The only way to solve this problem today would be with a solution on the Domain Controller to monitor use of tools that can be leveraged to perform process cloning and potentially block them.

kevin.joyce · April 16, 2025, 3:58pm

I actually recently saw some research published on this and it’s something the development team has in their queue to investigate. Marking this as under review as they do their investigation.

Topic		Replies	Views
Active Directory Certificate Services Monitoring & Blocking Ideas threat-prevention , under-review , ideas	1	20	April 16, 2025
New Check: Potentially malicious gPCFileSysPath Ideas under-review , ideas	1	20	April 15, 2025
Capture Time To Live Value with Group Membership Changes Ideas threat-prevention , under-review , ideas	1	18	April 16, 2025
Command Restrictions on Linux Ideas in-progress , ideas	1	33	April 10, 2025
Password Change Rollback Ideas recovery-active-directory , under-review , ideas	1	7	April 16, 2025

Prevent LSASS.exe Process Cloning

What is a one sentence summary of your feature request?

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

How do you currently solve the challenges you have by not having this feature?

Related topics