Nagios Support Forum

The Microsoft Attack Surface Reduction (ASR) rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" has highlighted that ncpa.exe is making calls to LSASS, or more specifically is trying to access LSASS.EXE process memory (LSASS: Local Security Authority Subsystem Service, a process in Windows operating systems responsible for enforcing security policies, authenticating users, and managing security logs).

Could you let me know if Nagios is simply enumerating LSASS, or what the real-world impact is in functionality? To date Nagios appears to be operating OK with the ASR rule in Block mode, but the Nagios client is creating noise and I would like to undersstand it's intent with LSASS, or perhaps it may be that some functionality that may not be working now, that hasn't surfaced yet. Thanks.

ASR rule details
https://learn.microsoft.com/en-us/defen ... -subsystem

ipbbw,

To my knowledge, nothing we ship with Nagios XI will interact with lsass.exe out of the box. I'm guessing either:

1. Some Windows security policy is routing ncpa.exe through lsass.exe to check permissions, or...
2. You have a homebrewed plugin - perhaps acquired from the Nagios Exchange - that will monitor lsass.exe in some manner

Windows is not my primary domain of expertise, so I could be off here. But I am not aware of anything we ship with XI reaching out to the aforementioned process.

Best Regards,

Cory Norell

Hello @ipbbw,

NCPA has an endpoint that checks the running processes on your machine. I think this may be what's causing it to try and access LSASS.exe as it is checking all running processes/services.