Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Deny Policy Action When Content of lsass.exe Is Requested

Carbon Black Cloud: Deny Policy Action When Content of lsass.exe Is Requested


  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: and Higher
  • Microsoft Windows: All Supported Versions


  • Events are reported on the Investigate page, similar to:     
    The application <applicationprocess.exe> requested the content of lsass.exe. A Deny policy action was applied.
  • No alert is reported on the Alerts page.
  • No block is reported in the Sensor UI of the impacted machine.


  • The application process is making a memory access request to lsass.exe at a more egregious level of permission than is considered safe or required, effectively requesting "full access" to the Local Security Authority process. 
  • In response, the Sensor denies the OpenProcess request by stripping excess access bits, though it does not block nor terminate the application process nor prevent it from executing.
  • For the most part, applications are unaffected by this protection and only processes that rely on the inappropriate permissions will fail.


If the application process is trusted and the lsass protections are causing application interoperability issues, create an Allow or Allow & Log permission for memory scraping operations.
  1. Log into the Console and navigate to Enforce > Policies > Relevant Policy > Prevention
  2. Add a new permission using the process path from the Event to Allow the operation: Scrapes memory of another process. Example:
    Applications at path: *:\path\applicationprocess.exe > Scrapes memory of another process > Allow
Note: A Bypass Permission will not prevent these policy actions from occurring, an Allow or Allow & Log permission is required.

Additional Notes

  • In some cases, an Allow & Log permission will not resolve the policy action and an Allow permission must be used instead.
  • Upgrading to Sensor 3.9.2+ will reduce the overall volume of these Observations reported to the Console.
  • These Observations can be filtered out of search results by appending Investigate page queries with the following negation logic.
    AND NOT (sensor_action:DENY AND crossproc_name:lsass.exe AND attack_technique:T1003.001)

Related Content

Was this article helpful? Yes No
No ratings
Article Information
Creation Date: