08-25-2024 04:28 PM
We have an alert on 2 different device that LSASS is creating a cache1.bin on app data.
All are created by NT\SYSTEM
Location detected
C:\Users<my username>\AppData\Local\Microsoft\Windows\SFAP\cache1.bin
C:\Windows\ServiceProfiles\UIFlowService\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrvX64\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pinetmgr\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrv\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pimsgss\AppData\Local\Microsoft\Windows\SFAP\cache1.bin\SFAP\cache1.bin
I tried to search for same issue and found one on Microsoft but not answered.
https://learn.microsoft.com/en-us/answers/questions/1336646/what-is-the-cache1-bin-on-windows-11
Have anyone experience this?
What course of action taken?
08-28-2024 07:34 AM - edited 08-28-2024 07:44 AM
Patch details note updates to these system files
"SFAPM.dll","10.0.22621.3958","10-Aug-2024","20:35","293,360"
"SFAPE.dll","10.0.22621.3958","10-Aug-2024","20:35","51,720"
08-26-2024 01:56 AM - edited 08-26-2024 01:58 AM
We have seen a few of these alerts ourselves but no idea why.
As an additional piece of information, this event coincides with an event logged in the system log of affected hosts as per below:
NETLOGON Event ID 5823
The system successfully changed its password on the domain controller \\Domaincontroller. This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password.
08-27-2024 02:06 AM
Hello,
After a quick analysis we can see that the path contains "SFAP" and the process LSASS loaded 2 DLL with this name. Both DLL are known and signed by Microsoft.
I checked on other assets and I found 24 similar "cache1.bin" files created by LSASS on few assets. Seems legit.
And this alert does not exist in Threat Vault to get more info.
08-27-2024 09:17 AM
Hello, we are also seeing this issue in our environment.
The Cache0.bin\Cache1.bin file is generated within one or multiple service profiles in the folder C:\Windows\ServiceProfiles\PROFILENAME\AppData\Local\Microsoft\Windows\SFAP\
This cache file is always 0 bytes, and has a timestamp that corresponds with system event 5823 reporting that "The system successfully changed its password on the domain controller \\domain This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password."
This has only affected a handful of systems, all within the past 7 days. Other systems have logged the 5823 events without triggering a Cortex/LSASS alert or creating the cache.bin file.
Looking for any additional insight while determining root cause.
08-28-2024 07:34 AM - edited 08-28-2024 07:44 AM
Patch details note updates to these system files
"SFAPM.dll","10.0.22621.3958","10-Aug-2024","20:35","293,360"
"SFAPE.dll","10.0.22621.3958","10-Aug-2024","20:35","51,720"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
