Environment

• Carbon Black Cloud Console: All Versions
• Carbon Black Cloud Sensor: 3.8.0.722 and Higher
• Microsoft Windows: All Supported Versions

Symptoms

• Events are reported on the Investigate page, similar to:     

  The application <applicationprocess.exe> requested the content of lsass.exe. A Deny policy action was applied.

• No alert is reported on the Alerts page.
• No block is reported in the Sensor UI of the impacted machine.

Cause

• The application process is making a memory access request to lsass.exe at a more egregious level of permission than is considered safe or required, effectively requesting "full access" to the Local Security Authority process. 
• In response, the Sensor denies the OpenProcess request by stripping excess access bits, though it does not block nor terminate the application process nor prevent it from executing.
• For the most part, applications are unaffected by this protection and only processes that rely on the inappropriate permissions will fail.

Resolution

1. Log into the Console and navigate to Enforce > Policies > Relevant Policy > Prevention
2. Add a new permission using the process path from the Event to Allow the operation: Scrapes memory of another process. Example:

   Applications at path: *:\path\applicationprocess.exe > Scrapes memory of another process > Allow
   

Additional Notes

• In some cases, an Allow & Log permission will not resolve the policy action and an Allow permission must be used instead.
• Upgrading to Sensor 3.9.2+ will reduce the overall volume of these Observations reported to the Console.
• These Observations can be filtered out of search results by appending Investigate page queries with the following negation logic.

  AND NOT (sensor_action:DENY AND crossproc_name:lsass.exe AND attack_technique:T1003.001)

Related Content