If you’re a threat hunter, you’ve probably encountered some puzzling behaviors. For example, the Windows process
lsass.exe making an outbound connection to an internet address on port 80. It’s a head-scratcher, isn’t it? Why would a
Local Security Authority Subsystem Service (LSASS) process, which primarily deals with user authentication, be reaching out to the internet on a port usually reserved for HTTP traffic?
The Expected Behavior of lsass.exe
lsass.exe operates within a specific range of ports. It runs under Active Directory and requires network connectivity over hard-coded ports. To encapsulate traffic to Active Directory without a tunneling protocol, a range of ephemeral TCP ports between
65535 are required.
So, Why Port 80?
While it may seem unusual, there are some legitimate reasons for
lsass.exe to communicate over port 80. One of the possibilities is related to the Online Certificate Status Protocol (OCSP). This protocol is used for obtaining the revocation status of an
X.509 digital certificate. It’s a way for Windows to check if the certificates used for secure communications are still valid, or if they have been revoked.
Threat or No Threat?
lsass.exe process making a connection over port 80 can be a legitimate action, this doesn’t mean you should dismiss it entirely. It’s crucial to understand the context of the situation.
For instance, if you see these connections happening frequently, or if they’re being made to suspicious IP addresses, it could be a sign of a potential issue. But if the connections are infrequent and are being made to reputable certificate authority servers, it’s likely just Windows doing its regular certificate checking.
The Importance of Context
In cybersecurity, context is everything. Anomalies are not necessarily threats, but understanding why they occur helps us distinguish between normal operations and potential security issues.
Done reading? Continue with the official documentation of Microsoft and learn more about how processes work and communicate.