Why is lsass.exe Knocking on Port 80’s Door?

Estimated read time 2 min read

If you’re a threat hunter, you’ve probably encountered some puzzling behaviors. For example, the Windows process lsass.exe making an outbound connection to an internet address on port 80. It’s a head-scratcher, isn’t it? Why would a Local Security Authority Subsystem Service (LSASS) process, which primarily deals with user authentication, be reaching out to the internet on a port usually reserved for HTTP traffic?

LSASS.exe knocking on Port 80
LSASS.exe knocking on Port 80

The Expected Behavior of lsass.exe

Normally, lsass.exe operates within a specific range of ports. It runs under Active Directory and requires network connectivity over hard-coded ports. To encapsulate traffic to Active Directory without a tunneling protocol, a range of ephemeral TCP ports between 1024 to 5000 and 49152 to 65535 are required​​.

So, Why Port 80?

While it may seem unusual, there are some legitimate reasons for lsass.exe to communicate over port 80. One of the possibilities is related to the Online Certificate Status Protocol (OCSP). This protocol is used for obtaining the revocation status of an X.509 digital certificate. It’s a way for Windows to check if the certificates used for secure communications are still valid, or if they have been revoked​.

Read RFC 2560 which covers OCSP.

Threat or No Threat?

Although the lsass.exe process making a connection over port 80 can be a legitimate action, this doesn’t mean you should dismiss it entirely. It’s crucial to understand the context of the situation.

For instance, if you see these connections happening frequently, or if they’re being made to suspicious IP addresses, it could be a sign of a potential issue. But if the connections are infrequent and are being made to reputable certificate authority servers, it’s likely just Windows doing its regular certificate checking.

The Importance of Context

In cybersecurity, context is everything. Anomalies are not necessarily threats, but understanding why they occur helps us distinguish between normal operations and potential security issues.

Done reading? Continue with the official documentation of Microsoft and learn more about how processes work and communicate.

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author