Back to All Scenarios
PASSEDserver / windows_lsass_memory_leak
Windows LSASS Memory Leak
The Local Security Authority Subsystem Service (LSASS) on a domain controller develops a memory leak after a security update, consuming increasing amounts of RAM until the server becomes unresponsive. Authentication requests fail as memory pressure increases.
Pattern
MEMORY_EXHAUSTION
Severity
CRITICAL
Confidence
92%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | MEMORY_EXHAUSTION | MEMORY_EXHAUSTION | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 9 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Windows Server 2022 domain controller. LSASS memory growing 500MB/hour. Server has 32GB RAM. Memory leak triggered by NTLM authentication requests. Kerberos ticket validation also affected as memory pressure increases.
Injected Error Messages (2)
Domain controller dc02 LSASS process memory leak — lsass.exe consuming 28GB of 32GB RAM and growing, authentication requests failing due to memory pressure, LDAP bind operations rejected, memory leak rate: 500MB/hour since last security update, system critically low on available memory
LDAP service degraded on dc02 — memory leak in LSASS causing out of memory conditions, Kerberos ticket validation failing, domain authentication impacted for all users authenticating against this DC
Neural Engine Root Cause Analysis
The LSASS (Local Security Authority Subsystem Service) process on domain controller dc02 is experiencing a severe memory leak, consuming 28GB of the available 32GB RAM with a growth rate of 500MB/hour since the last security update. This memory exhaustion is causing authentication failures and LDAP bind operation rejections, effectively rendering the domain controller non-functional. The correlation with a recent security update strongly suggests the patch introduced a regression or compatibility issue causing the LSASS process to leak memory continuously.
Remediation Plan
1. Immediately restart the LSASS service or reboot dc02 to restore immediate functionality and clear memory leak. 2. Monitor memory usage closely after restart to confirm if leak persists. 3. If leak continues, investigate the recent security update for known issues and consider rollback if safe to do so. 4. Check Windows Update history and review Microsoft security bulletins for LSASS-related issues. 5. Implement memory monitoring alerts for LSASS process. 6. Consider engaging Microsoft support if the issue persists after update rollback.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjyadi05q8obqe873s4xmw