Carbon Black Cloud: Deny Policy Action When Content of lsass.exe Is Requested
Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: 18.104.22.1682 and Higher
Microsoft Windows: All Supported Versions
Events are reported on the Investigate page, similar to:
The application <applicationprocess.exe> requested the content of lsass.exe. A Deny policy action was applied.
No alert is reported on the Alerts page.
No block is reported in the Sensor UI of the impacted machine.
The application process is making a memory access request to lsass.exe at a more egregious level of permission than is considered safe or required, effectively requesting "full access" to the Local Security Authority process.
In response, the Sensor denies the OpenProcess request by stripping excess access bits, though it does not block nor terminate the application process nor prevent it from executing.
For the most part, applications are unaffected by this protection and only processes that rely on the inappropriate permissions will fail.
If the application process is trusted and the lsass protections are causing application interoperability issues, create an Allow or Allow & Log permission for memory scraping operations.
Log into the Console and navigate to Enforce > Policies > Relevant Policy > Prevention
Add a new permission using the process path from the Event to Allow the operation: Scrapes memory of another process. Example:
Applications at path: *:\path\applicationprocess.exe > Scrapes memory of another process > Allow
Note: A Bypass Permission will not prevent these policy actions from occurring, an Allow or Allow & Log permission is required.
In some cases, an Allow & Log permission will not resolve the policy action and an Allow permission must be used instead.
Upgrading to Sensor 3.9.2+ will reduce the overall volume of these Observations reported to the Console.
These Observations can be filtered out of search results by appending Investigate page queries with the following negation logic.
AND NOT (sensor_action:DENY AND crossproc_name:lsass.exe AND attack_technique:T1003.001)