Deny Policy Action When Content of lsass.exe Is Requested
search cancel

Deny Policy Action When Content of lsass.exe Is Requested

book

Article ID: 286129

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Observations with the type "Tamper" are reported on the Investigate page, similar to:     
    The application <applicationprocess.exe> requested the content of lsass.exe. A Deny policy action was applied.
  • No alert is reported on the Alerts page.
  • No block is reported in the Sensor UI of the impacted machine.

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.8.0.722 - 3.9.1.2691
  • Microsoft Windows: All Supported Versions

Cause

  • The application process is making a memory access request to lsass.exe at a more egregious level of permission than is considered safe or required, effectively requesting "full access" to the Local Security Authority process. 
  • In response, the Sensor denies the OpenProcess request by stripping excess access bits, though it does not block nor terminate the application process nor prevent it from executing.
  • For the most part, applications are unaffected by this protection and only processes that rely on the inappropriate permissions will fail.

Resolution

  1. Upgrade to sensor version 3.9.2+.
    • 3.9.2 resolves many false positives
    • In 3.9.2 this rule has been removed from the built-in "Tamper" ruleset and is instead now part of the "Credential Theft" Core Prevention ruleset.
  2. If an exclusion is still needed, one can be added within the "Prevention" tab of the policy by navigating to Core Prevention > Credential Theft and clicking "Add Exclusion".

Additional Information

  • These Observations can be filtered out of search results by appending Investigate page queries with the following negation logic
    AND NOT (sensor_action:DENY AND crossproc_name:lsass.exe AND attack_technique:T1003.001)
  • If a sensor is not able to be upgraded to 3.9.2 and the lsass protections are causing application interoperability issues, the below steps can be taken on sensors 3.8.x - 3.9.1.x
    1. Navigate to Enforce > Policies > Relevant Policy > Prevention > Permissions
    2. Add a "permissions" rule with criteria:
      • File Path: <EnterPath>
      • Operation Attempt: Scrapes memory of another process:
      • Action: Allow