Skip to content

Hide Navigation Hide TOC

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' (6daac7fc-77d1-449a-a71a-e6b4d59a0e54)

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Cluster A Galaxy A Cluster B Galaxy B Level
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' (6daac7fc-77d1-449a-a71a-e6b4d59a0e54) Sigma-Rules Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2