LSASS Connections: Normal or Malware?

TL;DR

LSASS (Local Security Authority Subsystem Service) making connections to multiple IPs is not necessarily malicious, but it’s unusual and warrants investigation. It’s normal for LSASS to connect to Microsoft servers for authentication and time checks. However, unexpected connections could indicate malware attempting to steal credentials or establish a backdoor. This guide helps you investigate.

Investigating Unexpected LSASS Connections

1. Understand Normal LSASS Behaviour:
   • LSASS handles authentication on Windows systems.
   • It regularly connects to Microsoft servers for things like Kerberos authentication, time synchronisation (NTP), and CRL/OCSP checks.
   • These connections are usually outbound (initiated from your machine).
2. Use Resource Monitor:

   Resource Monitor provides a real-time view of network connections.

   • Open Resource Monitor by searching for it in the Start Menu.
   • Go to the ‘Network’ tab.
   • In the ‘Listening Ports’ section, find LSASS (lsass.exe).
   • Examine the ‘Remote IP Address’ column. Note any IPs you don’t recognise.
3. Use TCPView:

   TCPView is a more detailed network connection tool from Sysinternals.

   • Download TCPView from Microsoft’s website.
   • Run TCPView as an administrator.
   • Filter the list to show only connections associated with lsass.exe (use the ‘Process Name’ column).
   • Look for unusual remote IP addresses and ports.
4. Check Connection Details:

   For any suspicious IPs identified, gather more information.

   • Reverse DNS Lookup: Use a tool like nslookup in the command prompt to find the hostname associated with the IP address. This can give you clues about who owns the IP.

     nslookup [IP Address]

   • WHOIS Lookup: Use a WHOIS lookup service (e.g., DomainTools) to find registration information for the IP address.
   • VirusTotal: Check the IP address on VirusTotal (https://www.virustotal.com/) to see if it’s been flagged as malicious by any security vendors.
5. Examine LSASS Process:

   Look for anomalies within the LSASS process itself.

   • Process Explorer: Use Process Explorer (also from Sysinternals) to examine the handles and DLLs loaded by lsass.exe.
     • Download Process Explorer from Microsoft’s website.
     • Run Process Explorer as an administrator.
     • Find lsass.exe in the process list.
     • Check the ‘Handles’ tab for unusual file or registry key access.
     • Check the ‘DLLs’ tab for any DLLs that don’t belong to Microsoft. Malware often injects itself into LSASS by loading malicious DLLs.
   • Check Security Logs: Review Windows Event Logs (specifically the Security log) for events related to lsass.exe, focusing on authentication failures or unusual account activity.
6. Network Traffic Analysis (Advanced):

   If you suspect malicious activity, capture and analyze network traffic using a tool like Wireshark.

   • Download Wireshark from Wireshark’s website.
   • Capture traffic on the network interface your machine uses.
   • Filter the capture to show only traffic involving lsass.exe or specific suspicious IPs.
   • Analyze the captured packets for unusual protocols, data patterns, or communication with known malicious servers.
7. Run a Full System Scan:

   Use your antivirus software (and consider a second opinion scanner) to perform a full system scan.

   • Ensure your antivirus definitions are up-to-date before scanning.
   • Consider using tools like Malwarebytes or HitmanPro for additional scans.

Important Considerations

• Outbound vs. Inbound: Outbound connections from LSASS are more common (and less concerning) than inbound connections *to* LSASS.
• Dynamic IPs: A connection to a dynamic IP address that changes frequently is less likely to be malicious, but still requires investigation.
• False Positives: Be aware of the possibility of false positives. Some legitimate software may cause temporary connections that appear suspicious.