-
-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cisco Secure Endpoint alarms about access to lsass.exe #982
Comments
Pretty good chance that this is a false positive from Cisco, but just in case I think we can probably introduce a global blacklist of executables against which no Win32 API calls are ever made by komorebi. Edit: Actually we can't do that because we need to call OpenProcess to get the Exe to filter against 😅 Your best bet is to take this up with Cisco as this is most likely a bug with their software and not with komorebi, which only interacts with other processes through the publicly available Win32 APIs, and only does so to look up executable names and paths. |
@LGUG2Z , thank you for quick respond. The idea with blacklist of system protected processes sounds very good. I've added tracing names of accessing widows/processes in various places of komorebi code.
Off cause I can miss some places in the codebase of komorebi, the project is new for me and I'm not familiar with Rust (I'm from C++ world). PS: |
Update: |
@LGUG2Z , The problem is not in komorebi.exe, it's in This privilege provides complete access to sensitive and critical operating system components. The privilege can be shown for running process for example by using Process Explorer https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer. When I run komorebi.exe directly, it runs without enabling SeDebugPrivilege and Cisco do not alarm about access to lsass.exe process. Of course, it's better to not run komorebi.exe with administrative rights at all, but in this case it loose part of functionality when I often need to work with administrative windows. |
Thank you for this deep dive @SergeyYmb! The code for the komorebi/komorebic/src/main.rs Line 1882 in c06d9af
Is there a way that we can pass a flag to the PowerShell command to explicitly never set |
Did a quick search and this might be relevant? PowerShell/PowerShell#15562 |
If the question is addressed to me, I'm not an expert in PowerShell. There are methods which allows to disable these privileges inside of powershell script. From another side, involving of powershell to just spawning a process seems unnecessary. |
Cisco Secure Endpoint alarms about access to Local Security Authority Subsystem (lsass.exe)
System process protection was triggered by C:\Program Files\komorebi\bin\komorebi.exe (PID 11124) attempting to access C:\Windows\System32\lsass.exe (PID 1184) (SD.Block.SPP). The action was blocked.
Please, see more details about Cisco System Process Protection option here:
https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf
Steps to reproduce the behavior:
The alarm seems appears on start of komorebi.
komorebic start --whkd
was run by windows scheduler task with options "Run only when user is logged on" and "Run with highest privileges".OS Name: Microsoft Windows 11 Pro
Additional info:
I've tried to analyze the code to find which action could trigger such alarm.
I found that komorebi.exe calls OpenProcess WinAPI function with PROCESS_QUERY_INFORMATION
(komorebi\src\windows_api.rs, line 730).
Seems it's better call OpenProcess function with PROCESS_QUERY_LIMITED_INFORMATION desired access if process handle is only need for following call of QueryFullProcessImageName function.
See this description https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights#protected-processes
I also added some additional logging and found that sometimes OpenProcess is called with PID=0.
I've tried to rebuild komorebi with option PROCESS_QUERY_LIMITED_INFORMATION, but unfortunately this was not help to avoid new alarm from Cisco.
I don't know how to classify this issue (bug or not), but it's definitely disallow usage of the application in my case.
The text was updated successfully, but these errors were encountered: