topic Re: LSASS creating a cache1.bin on appdata in Cortex XDR Discussions

LSASS creating a cache1.bin on appdata

EricksonM — Sun, 25 Aug 2024 23:28:21 GMT

We have an alert on 2 different device that LSASS is creating a cache1.bin on app data.

All are created by NT\SYSTEM

Location detected

C:\Users<my username>\AppData\Local\Microsoft\Windows\SFAP\cache1.bin

C:\Windows\ServiceProfiles\UIFlowService\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrvX64\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pinetmgr\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrv\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pimsgss\AppData\Local\Microsoft\Windows\SFAP\cache1.bin\SFAP\cache1.bin

I tried to search for same issue and found one on Microsoft but not answered.

https://learn.microsoft.com/en-us/answers/questions/1336646/what-is-the-cache1-bin-on-windows-11

Have anyone experience this?

What course of action taken?

Re: LSASS creating a cache1.bin on appdata

WGriessbach — Mon, 26 Aug 2024 08:58:11 GMT

We have seen a few of these alerts ourselves but no idea why.

As an additional piece of information, this event coincides with an event logged in the system log of affected hosts as per below:

NETLOGON Event ID 5823
The system successfully changed its password on the domain controller \\Domaincontroller. This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password.

Re: LSASS creating a cache1.bin on appdata

ThomasDaCruz — Tue, 27 Aug 2024 09:06:55 GMT

Hello,
After a quick analysis we can see that the path contains "SFAP" and the process LSASS loaded 2 DLL with this name. Both DLL are known and signed by Microsoft.
I checked on other assets and I found 24 similar "cache1.bin" files created by LSASS on few assets. Seems legit.

And this alert does not exist in Threat Vault to get more info.

Re: LSASS creating a cache1.bin on appdata

J.Eversvik — Tue, 27 Aug 2024 16:17:20 GMT

Hello, we are also seeing this issue in our environment.

The Cache0.bin\Cache1.bin file is generated within one or multiple service profiles in the folder C:\Windows\ServiceProfiles\PROFILENAME\AppData\Local\Microsoft\Windows\SFAP\

This cache file is always 0 bytes, and has a timestamp that corresponds with system event 5823 reporting that "The system successfully changed its password on the domain controller \\domain This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password."

This has only affected a handful of systems, all within the past 7 days. Other systems have logged the 5823 events without triggering a Cortex/LSASS alert or creating the cache.bin file.

Looking for any additional insight while determining root cause.

Re: LSASS creating a cache1.bin on appdata

J.Eversvik — Wed, 28 Aug 2024 14:44:55 GMT

Issue seems to have been initiated by KB5041585, which began deploying to the environment on 8/13/24. Microsoft is reporting that two vulnerabilities relating to the Local Security Authority Subsystem Service (LSASS) are addressed with this patch - CVE-2024-38118 and CVE-2024-38122 - Both of these are related to CWE-908: Use of Uninitialized Resource

Patch details note updates to these system files

"SFAPM.dll","10.0.22621.3958","10-Aug-2024","20:35","293,360"
"SFAPE.dll","10.0.22621.3958","10-Aug-2024","20:35","51,720"

This patch has currently been deployed to hundreds systems, and I suspect that each will throw this alert when they renew their computer account password automatically.

I have not found any signs of malicious activity related to these incidents, and do believe this is a new, but legitimate behavior from the Local Security Authority Subsystem Service.