Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LSASS creating a cache1.bin on appdata

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LSASS creating a cache1.bin on appdata

L0 Member

We have an alert on 2 different device that LSASS is creating a cache1.bin on app data.

All are created by NT\SYSTEM

 

Location detected

C:\Users<my username>\AppData\Local\Microsoft\Windows\SFAP\cache1.bin

C:\Windows\ServiceProfiles\UIFlowService\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrvX64\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pinetmgr\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pilogsrv\AppData\Local\Microsoft\Windows\SFAP\cache1.bin, C:\Windows\ServiceProfiles\pimsgss\AppData\Local\Microsoft\Windows\SFAP\cache1.bin\SFAP\cache1.bin

 

I tried to search for same issue and found one on Microsoft but not answered.

https://learn.microsoft.com/en-us/answers/questions/1336646/what-is-the-cache1-bin-on-windows-11

 

Have anyone experience this?

What course of action taken?

1 accepted solution

Accepted Solutions

L0 Member
Issue seems to have been initiated by KB5041585, which began deploying to the environment on 8/13/24. Microsoft is reporting that two vulnerabilities relating to the Local Security Authority Subsystem Service (LSASS) are addressed with this patch - CVE-2024-38118 and CVE-2024-38122 - Both of these are related to CWE-908: Use of Uninitialized Resource
 

Patch details note updates to these system files

"SFAPM.dll","10.0.22621.3958","10-Aug-2024","20:35","293,360"
"SFAPE.dll","10.0.22621.3958","10-Aug-2024","20:35","51,720"

 
This patch has currently been deployed to hundreds systems, and I suspect that each will throw this alert when they renew their computer account password automatically. 

I have not found any signs of malicious activity related to these incidents, and do believe this is a new, but legitimate behavior from the Local Security Authority Subsystem Service.

View solution in original post

4 REPLIES 4

L0 Member

We have seen a few of these alerts ourselves but no idea why.

As an additional piece of information, this event coincides with an event logged in the system log of affected hosts as per below:

NETLOGON Event ID 5823
The system successfully changed its password on the domain controller \\Domaincontroller. This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password.

L0 Member

Hello, 
After a quick analysis we can see that the path contains "SFAP" and the process LSASS loaded 2 DLL with this name. Both DLL are known and signed by Microsoft. 
I checked on other assets and I found 24 similar "cache1.bin" files created by LSASS on few assets. Seems legit.

And this alert does not exist in Threat Vault to get more info. 

L0 Member

Hello, we are also seeing this issue in our environment. 

The Cache0.bin\Cache1.bin file is generated within one or multiple service profiles in the folder C:\Windows\ServiceProfiles\PROFILENAME\AppData\Local\Microsoft\Windows\SFAP\

This cache file is always 0 bytes, and has a timestamp that corresponds with system event 5823 reporting that "The system successfully changed its password on the domain controller \\domain This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password."

This has only affected a handful of systems, all within the past 7 days. Other systems have logged the 5823 events without triggering a Cortex/LSASS alert or creating the cache.bin file.

Looking for any additional insight while determining root cause.

L0 Member
Issue seems to have been initiated by KB5041585, which began deploying to the environment on 8/13/24. Microsoft is reporting that two vulnerabilities relating to the Local Security Authority Subsystem Service (LSASS) are addressed with this patch - CVE-2024-38118 and CVE-2024-38122 - Both of these are related to CWE-908: Use of Uninitialized Resource
 

Patch details note updates to these system files

"SFAPM.dll","10.0.22621.3958","10-Aug-2024","20:35","293,360"
"SFAPE.dll","10.0.22621.3958","10-Aug-2024","20:35","51,720"

 
This patch has currently been deployed to hundreds systems, and I suspect that each will throw this alert when they renew their computer account password automatically. 

I have not found any signs of malicious activity related to these incidents, and do believe this is a new, but legitimate behavior from the Local Security Authority Subsystem Service.
  • 1 accepted solution
  • 2818 Views
  • 4 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!