How to prove a false positive

Question

I was notified by my university's infosec team that one of my lab's computers had been infected by ransomware. They shut down the computer's network connections using Crowdstrike and are insisting that the hard drive needs to be reimaged.

The computer was only just put on the network on Friday, it runs Windows 7 Professional, Service Pack 1. IT did not even have time to update Windows before the network connection was blocked on Monday morning.

The computer has been behaving as expected. No erratic behavior has been noticed.

Infosec cited the computer's lsass.exe file as a concern (SHA256: 620638756a5ee6ea933a7a4c94e7dd2537e2a7345bbeff72d28271c0174d10a2) They stated that this lsass.exe file is "associated" with mssecsvc.exe__ (SHA256:74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0)

Searching the computer's hard disk shows that there is an lsass.exe file. There is no mssecsvc file. Full scans with Norton antivirus show 0 threats (not even a tracking cookie) The computer is expressly not used for web browsing or e-mail. The network connection only exists to provide access to local network files.

Reimaging the computer is excessively expensive, as doing so requires full recalibration of attached lab equipment. I'm convinced that this was a false positive.

My question is: Am I correct? Is this computer infected? Secondarily: How do I convince an infosec professional that they are wrong about a file being malware?

Thanks in advance!

Edit for additional requested information:

A screenshot of the following Crowdstrike message was shared:

lsass.exe
ASSOCIATED BEHAVIOR: High Severity Intel Detection
A hash matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.
Associated IOC (SHA256 on file write): 74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0
FILE PATH: \Device\HarddiskVolume2\Windows\System32\lsass.exe
SHA256: 620638756a5ee6ea933a7a4c94e7dd2537e2a7345bbeff72d28271c0174d10a2
COMMAND LINE: C:\Windows\system32\lsass.exe
USER NAME: [redacted]
START / END TIME: Feb 5., 2018 08:33:03

The following link was then shared: https://www.virustotal.com/en/file/74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0/analysis/74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0

Answer 1

There's actually a few red flags here that stand out to me.

The computer was only just put on the network on Friday, it runs Windows 7 Professional, Service Pack 1. IT did not even have time to update Windows before the network connection was blocked on Monday morning.

Reads: You attached a computer running an outdated, unpatched version of Windows to a university network. It has no immune system and you just exposed it to whatever pathogens are floating around on the network-- and given it's a university, there will be many.

The computer has been behaving as expected. No erratic behavior has been noticed.

Reads: The ransomware is doing its job as designed. You're not supposed to notice anything erratic.

Infosec cited the computer's lsass.exe file as a concern (SHA256: 620638756a5ee6ea933a7a4c94e7dd2537e2a7345bbeff72d28271c0174d10a2) They stated that this lsass.exe file is "associated" with mssecsvc.exe__ (SHA256:74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0)

Searching the computer's hard disk shows that there is an lsass.exe file. There is no mssecsvc file.

Malware can be dynamic in nature. Just because a compromised lsass.exe took advantage of mssecsvc in cases we know about doesn't mean it's not abusing some other executable in your case.

Obviously you have lsass.exe on your box; all Windows computers do. They're telling you you're pwned because your lsass hash matches that of known compromised versions. Have you hashed your copy of it to verify or disavow their claim?

Full scans with Norton antivirus show 0 threats (not even a tracking cookie)

Reads: Your local AV is possibly compromised.

The computer is expressly not used for web browsing or e-mail. The network connection only exists to provide access to local network files.

A lot of ransomware explicitly uses local network shares to spread itself once it worms its way into your network. That is not a substitute for protection.

Unfortunately this may not be a false positive. I understand the stakes but try to work with them to remediate this situation. Even if you are in the right, it's likely they saw you had an unpatched, exploitable version of lsass on your machine based on the hash, which has been previously leveraged in other attacks. You might see if they'd be willing to give you DMZ internet access so you can get it patched, update your AV signatures and see if they'd re-evaluate your machine.

Answer 2

LSASS is Local Security Authority Subsystem Service which is part of windows and is targeted by malware to extract user credentials from memory. So yes LSASS is a legitimate file normally.

Now the pain point, listen to your infosec team. If this is ransomware it may have been trying to access LSASS to extract credential so it can move laterally in your network. Not being able to find a file on disk doesnt mean it not there.

Local AV not detecting it - are your AV signatures up to date? If you only just connected the box to the network most likely not. Unpatched machine on the network as well for a network share, sounds like SMB exploit has been used to infect your machine.

Listen to your infosec team - they are in a better position than you to make the call on this.

Answer 3

I agree with Ivan's answer, and just wanted to pop in info from another angle.

There's currently no known collision of SHA256. Crypto people have been trying to find one for awhile now, and have failed.

For this to be a false-positive, you have to believe that the SHA256 hash of a malicious component just happens, in pure coincidence, to match the SHA256 of a component on your OS - and that you managed to accidentally do what the entire crypto community has failed to do.