Carbon Black Cloud: Deny Policy Action When Content of lsass.exe Is Requested

search cancel

book

calendar_today

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Observations with the type "Tamper" are reported on the Investigate page, similar to:

The application <applicationprocess.exe> requested the content of lsass.exe. A Deny policy action was applied.

The application process is making a memory access request to lsass.exe at a more egregious level of permission than is considered safe or required, effectively requesting "full access" to the Local Security Authority process.
In response, the Sensor denies the OpenProcess request by stripping excess access bits, though it does not block nor terminate the application process nor prevent it from executing.
For the most part, applications are unaffected by this protection and only processes that rely on the inappropriate permissions will fail.

Upgrade to sensor version 3.9.2+.
- 3.9.2 resolves many false positives
- In 3.9.2 this rule has been removed from the built-in "Tamper" ruleset and is instead now part of the "Credential Theft" Core Prevention ruleset.
If an exclusion is still needed, one can be added within the "Prevention" tab of the policy by navigating to Core Prevention > Credential Theft and clicking "Add Exclusion".

These Observations can be filtered out of search results by appending Investigate page queries with the following negation logic
```
AND NOT (sensor_action:DENY AND crossproc_name:lsass.exe AND attack_technique:T1003.001)
```
If a sensor is not able to be upgraded to 3.9.2 and the lsass protections are causing application interoperability issues, the below steps can be taken on sensors 3.8.x - 3.9.1.x
1. Navigate to Enforce > Policies > Relevant Policy > Prevention > Permissions
2. Add a "permissions" rule with criteria:
  - File Path: <EnterPath>
  - Operation Attempt: Scrapes memory of another process:
  - Action: Allow

thumb_up Yes

thumb_down No