We've recently been seeing new security events being flagged to the SOC for activity involving LSASS usage from the wmiprvse.exe process across multiple Windows servers. We've investigated the wmiprvse.exe process by reviewing the process ID and found it to be the legitimate version of the process.
The leading belief in the department is that there is a legitimate application requiring LSASS in order to function properly, but we're keen to have this confirmed conclusively.
We've tried contacting our SIEM vendor to
- Are there any other steps we should be performing to confirm that this is business as usual/false positive activity?
- Has anyone else found the same activity being flagged by SIEMs?
Please see below the raw event log indicating the wmiprvse.exe process is calling LSASS:
<13>Dec 17 07:36:29 [hostname]
AgentDevice=WindowsLog
AgentLogFile=Microsoft-Windows-Sysmon/Operational
PluginVersion=[version number]
Source=Microsoft-Windows-Sysmon
Computer=[comp. name]
OriginatingComputer=[IP Address]
User=SYSTEM
Domain=NT AUTHORITY
EventID=18
EventIDCode=18
EventType=4
EventCategory=18
RecordNumber=[removed]
TimeGenerated=1576568188
TimeWritten=1576568188
Level=Informational
Keywords=0x8000000000000000
Task=SysmonTask-SYSMON_CONNECT_NAMEDPIPE
Opcode=Info
Message=Pipe Connected: RuleName: EventType: ConnectPipe UtcTime: 2019-12-17 07:36:28.875 ProcessGuid: {352CC6C8-3182-5DF5-0000-0010DFFC0700} ProcessId: 4852 PipeName: \lsass Image: C:\Windows\system32\wbem\wmiprvse.exe