LSASS Memory Dump Handle Access & poqexec.exe?

GuruLee · May 9, 2024, 1:42pm

We are seeing Elastic security rule triggering alerts for LSASS Memory Dump Handle Access for the 'C:\Windows\System32\poqexec.exe' process (Primitive Operations Queue Executor) on several endpoints with the computer account name.

However, our EDR is not picking this up as an alert, nor is the process listed in the device's timeline.

I am not finding much online about poqexec.exe and possible interaction with LSASS and I was hoping to get some insight here.

Anyone see this before and can help me validate the behavior?

message: "A handle to an object was requested.
Subject:
Security ID: S-1-5-18
Account Name: <computerAccount$>
Account Domain: <ourDomain>
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\lsass.exe
Handle ID: 0x70
Resource Attributes: -
Process Information:
Process ID: 0x6fc
Process Name: C:\Windows\System32\poqexec.exe
Access Request Information:
Transaction ID: {2801ddbe-0b5e-11ef-9edb-4c3488257915}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Access Reasons: -
Access Mask: 0x1F0189
Privileges Used for Access Check: SeBackupPrivilege
SeRestorePrivilege
Restricted SID Count: 0"

GuruLee · May 23, 2024, 4:01pm

Anybody have some insight or recommendations here?

willemdh · May 23, 2024, 9:03pm

Hello,

The poqexec.exe is typically associated with post-update operations in Windows environments, and isn't commonly a focus in standard threat models, which might explain the lack of EDR alerts. However, its interaction with LSASS.exe (Local Security Authority Subsystem Service) is suspicious, particularly concerning the permissions requested, such as DELETE and WRITE_OWNER, which could potentially be used for privilege escalation or persistence mechanisms.

Check for Patch and Configuration Updates: Ensure that all security tools are up-to-date with the latest signatures and anomaly detection heuristics, which could help in detecting unusual interactions like this.

Deep Dive into Process Behavior: Analyze poqexec.exe behavior on a sandbox environment. Monitor its actions, network traffic, file interactions, and especially its interactions with critical processes like LSASS.exe.

Correlate Logs and Other Indicators: Check for other indicators of compromise on affected endpoints. This includes unusual network connections, file changes, or registry modifications that correlate with the alert times.

(Written with help of ChatGPT..)

Willem

system · June 20, 2024, 9:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.