Home PowerShell Posts PowerShell PowerShell :- BootTime with LSASS.EXE

PowerShell :- BootTime with LSASS.EXE

By on ( 1 )

LSASS.EXE

The Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on your systems. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.

Monitor On Boot

Therefore you should continuously monitor for malicious types of behavior. Such, as spawned instances of LSASS.EXE , virus, spyware, Trojan or worm activity, and to ensure the local path is ran from %WINDIR%\System32\lsass.exe
It also writes to the Windows Security Log as EventID:4608 that can be used as a simple form of monitoring from within any monitoring system.

Event Log Msg ID 4608

4608EventID

Add Quick Monitoring

So, If you already know about this cool. By creating a simple PowerShell function that can triggered shortly after a boot of any type into windows, or used on a schedule for both local and remote, and from any type of monitoring tool that allows you to add a “4608 and get system boot time” will give you a cool and quick test to ensure that boot is shortly followed by the start of LSASS.exe.

Adds Simple Check

Knowing the two are tightly related it’s nice knowing there is an additional simple way to do some easy system monitoring.
When combined with other types of monitoring can be quite effective.

Get-Process

When you simply run this command:
get-process lsass | format-list *

lsassProcess

Get Simple Listing

Running get-process lsass | format-list * You get a nicely formatted list that you can use for further action or auditing. For now I’m just going to do a very simple snippet or mini function that you can modify at will. 🙂 I’ll compare boot time to LSASS start time. LSASS should always start within a few seconds or shortly thereafter the boot of the machine.

PowerShell Last Boot Time

For our Last Boot Time this PowerShell cmdlet works quite well:
$Global:BootStartTime = Get-WmiObject win32_operatingsystem | select csname, @{ LABEL = ‘LastBootUpTime’; EXPRESSION = { $_.ConverttoDateTime($_.lastbootuptime) } }

LSASS.EXE Start Time

And, to get LSASS.EXE start time:
$Global:LSASSStartTime = Get-Process lsass | select StartTime

I could have trimmed this down more but this is pretty simple and I wanted to show you how simple.

$StartDate = $Global:BootStartTime.LastBootUpTime
$EndDate = (get-date ($Global:LSASSStartTime.StartTime))

$DifferenceInDays = new-timespan -Start $StartDate -End $EndDate

Yes, when you run your process it will have different values:
$DifferenceInDays has some cool values that you can check on. So, if we know that LSASS.EXE should not take more than 20 seconds after boot to run, there could be an minor issue but one to check nevertheless.

Days : 0
Hours : 0
Minutes : 0
Seconds : 11
Milliseconds : 117
Ticks : 111179409
TotalDays : 0.000128679871527778
TotalHours : 0.00308831691666667
TotalMinutes : 0.185299015
TotalSeconds : 11.1179409
TotalMilliseconds : 11117.9409

To show the difference is very basic:
if ($DifferenceInDays.TotalSeconds -ge 20)
{

###
#### Add Check Path
###
Write-Host “Possible Boot Issue with LSASS timing”

}
else
{
$msg = ‘Boot process appears normal’
Write-Host $msg
}

The function is not too complex and something similar should be implemented to monitor LSASS.EXE
Here is the snippet function:

function check-BootTimeVariance
{
#just incase you’d like globals
$Global:BootStartTime = Get-WmiObject win32_operatingsystem | select csname, @{ LABEL = ‘LastBootUpTime’; EXPRESSION = { $_.ConverttoDateTime($_.lastbootuptime) } }
$Global:LSASSStartTime = Get-Process lsass | select StartTime

$StartDate = $Global:BootStartTime.LastBootUpTime
$EndDate = (get-date ($Global:LSASSStartTime.StartTime))

$DifferenceInDays = new-timespan -Start $StartDate -End $EndDate

if ($DifferenceInDays.TotalSeconds -ge 20)
{

###
#### Add what you’d like could write to azure storage tables for future
### Comparison or just simple message to event logs
###
Write-Host “Possible Boot Issue And Timing”

}
else
{
$msg = ‘Boot process appears normal’
Write-Host $msg
}

<# You could even add in the results of this as well gwmi win32_ntlogevent -filter “LogFile=’System’ and EventCode=’1074′ and Message like ‘%restart%'” | select User, @{ n = “Time”; e = { $_.ConvertToDateTime($_.TimeGenerated) } }#>

}

Extra Monitoring

I hope this has given you some ideas on adding an extra monitoring check on your systems. I’ll add a function where you can start logging to azure storage tables soon.

I’m always on the look out for simple techniques that can be incorporated into the grand scheme of things security.

Thoughts & Ideas, Joseph Kravis 🙂

Categories: PowerShell

1 reply

  1. Alexa
    November 13, 2018 • 11:04 am

    Great information, just feels way over my head. 🙂

    Reply ↓

Leave a Reply

%d bloggers like this: