Deny Policy Action When Content of lsass.exe Is Requested
book
Article ID: 286129
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Observations with the type "Tamper" are reported on the Investigate page, similar to:
The application <applicationprocess.exe> requested the content of lsass.exe. A Deny policy action was applied.
No alert is reported on the Alerts page.
No block is reported in the Sensor UI of the impacted machine.
Environment
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 3.8.0.722 - 3.9.1.2691
Microsoft Windows: All Supported Versions
Cause
The application process is making a memory access request to lsass.exe at a more egregious level of permission than is considered safe or required, effectively requesting "full access" to the Local Security Authority process.
In response, the Sensor denies the OpenProcess request by stripping excess access bits, though it does not block nor terminate the application process nor prevent it from executing.
For the most part, applications are unaffected by this protection and only processes that rely on the inappropriate permissions will fail.
Resolution
Upgrade to sensor version 3.9.2+.
3.9.2 resolves many false positives
In 3.9.2 this rule has been removed from the built-in "Tamper" ruleset and is instead now part of the "Credential Theft" Core Prevention ruleset.
If an exclusion is still needed, one can be added within the "Prevention" tab of the policy by navigating to Core Prevention > Credential Theft and clicking "Add Exclusion".
Additional Information
These Observations can be filtered out of search results by appending Investigate page queries with the following negation logic
AND NOT (sensor_action:DENY AND crossproc_name:lsass.exe AND attack_technique:T1003.001)
If a sensor is not able to be upgraded to 3.9.2 and the lsass protections are causing application interoperability issues, the below steps can be taken on sensors 3.8.x - 3.9.1.x