PowerShell :- BootTime with LSASS.EXE

The Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on your systems. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. Therefore you should continuously monitor for malicious types of behavior. Such, as spawned instances of LSASS.EXE , virus, spyware, Trojan or worm activity, and to ensure the local path is ran from %WINDIR%\System32\lsass.exe
It also writes to the Windows Security Log as EventID:4608 that can be used as a simple form of monitoring from within any monitoring system.

4608EventID

So, If you already know about this cool. By creating a simple PowerShell function that can triggered shortly after a boot of any type into windows, or used on a schedule for both local and remote, and from any type of monitoring tool that allows you to add a “4608 and get system boot time” will give you a cool and quick test to ensure that boot is shortly followed by the start of LSASS.exe. Knowing the two are tightly related it’s nice knowing there is an additional simple way to do some easy system monitoring.
When combined with other types of monitoring can be quite effective.

When you simply run this command:
get-process lsass | format-list *

lsassProcess

You get a nicely formatted listed that you can use for further action or auditing. For now I’m just going to do a very simple snippet or mini function that you can modify at will. 🙂 I’ll compare boot time to LSASS start time. LSASS should always start within a few seconds or shortly thereafter the boot of the machine.

For our Last Boot Time this PowerShell cmdlet works quite well:
$Global:BootStartTime = Get-WmiObject win32_operatingsystem | select csname, @{ LABEL = ‘LastBootUpTime’; EXPRESSION = { $_.ConverttoDateTime($_.lastbootuptime) } }

And, to get LSASS.EXE start time:
$Global:LSASSStartTime = Get-Process lsass | select StartTime

I could have trimmed this down more but this is pretty simple and I wanted to show you how simple.

$StartDate = $Global:BootStartTime.LastBootUpTime
$EndDate = (get-date ($Global:LSASSStartTime.StartTime))

$DifferenceInDays = new-timespan -Start $StartDate -End $EndDate

Yes, when you run your process it will have different values:
$DifferenceInDays has some cool values that you can check on. So, if we know that LSASS.EXE should not take more than 20 seconds after boot to run, there could be an minor issue but one to check nevertheless.

Days : 0
Hours : 0
Minutes : 0
Seconds : 11
Milliseconds : 117
Ticks : 111179409
TotalDays : 0.000128679871527778
TotalHours : 0.00308831691666667
TotalMinutes : 0.185299015
TotalSeconds : 11.1179409
TotalMilliseconds : 11117.9409

To show the difference is very basic:
if ($DifferenceInDays.TotalSeconds -ge 20)
{

###
#### Add Check Path
###
Write-Host “Possible Boot Issue with LSASS timing”

}
else
{
$msg = ‘Boot process appears normal’
Write-Host $msg
}

The function is not too complex and something similar should be implemented to monitor LSASS.EXE
Here is the snippet function:

function check-BootTimeVariance
{
#just incase you’d like globals
$Global:BootStartTime = Get-WmiObject win32_operatingsystem | select csname, @{ LABEL = ‘LastBootUpTime’; EXPRESSION = { $_.ConverttoDateTime($_.lastbootuptime) } }
$Global:LSASSStartTime = Get-Process lsass | select StartTime

$StartDate = $Global:BootStartTime.LastBootUpTime
$EndDate = (get-date ($Global:LSASSStartTime.StartTime))

$DifferenceInDays = new-timespan -Start $StartDate -End $EndDate

if ($DifferenceInDays.TotalSeconds -ge 20)
{

###
#### Add what you’d like could write to azure storage tables for future
### Comparison or just simple message to event logs
###
Write-Host “Possible Boot Issue And Timing”

}
else
{
$msg = ‘Boot process appears normal’
Write-Host $msg
}

<# You could even add in the results of this as well gwmi win32_ntlogevent -filter “LogFile=’System’ and EventCode=’1074′ and Message like ‘%restart%'” | select User, @{ n = “Time”; e = { $_.ConvertToDateTime($_.TimeGenerated) } }#>

}

I hope this has given you some ideas on adding an extra monitoring check on your systems. I’ll add a function where you can start logging to azure storage tables soon.

I’m always on the look out for simple techniques that can be incorporated into the grand scheme of things security.

 

Thoughts & Ideas,
Joseph Kravis :=-)
***



Categories: #kravis, #PowerShell, PowerShell, PowerShell Posts, Technology, Thoughts and Ideas

1 reply

  1. Great information, just feels way over my head. 🙂

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Embracing The Pain

She Will Rise

catsyass.wordpress.com/

Second life fashion

Loly Hallison

"In moments of crisis, only the imagination is more important than the knowledge" Albert Einstein

The Art of Blogging

For bloggers who aspire to inspire

creative art ✏ design that inspires😊

LIFE IS ART PAINT YOUR DREAMS ✏💗

Journeying Through My Thoughts

♡|Thoughts|Beautiful Words|Motivation|Poem's|Quote's|Maybe Short Storie's|Happiness|Joy|Soul Pouring|An Escape Patch|Memories|Home|♡

Manić Teodora

Al cielo.. e niente di meno!🌈

%d bloggers like this: