I keep getting this alert from AMP for Endpoints several times per day for the same endpoint. I can't really find the source of it. Device Trajectory is just showing me that a file associated with it is called c:\windows\system32\eac_usermode_192308288958008.dll. I can't tell if this is a false positive or something that I need to look further into.
- Event Type: Exploit Prevention
- Computer: XXXXX(obfuscated)
- Hostname: XXXXX(obfuscated)
- IP: 10.37.133.223
- User: SYSTEM@NT AUTHORITY
- File: lsass.exe
- File path: C:\WINDOWS\system32\lsass.exe
- Detection SHA-256: f56dddf7a8f1aa0f3d9ffe0cd618544cfaf233a33314240eccbe5f897a91b534
- By Application: <Non-existent Process>
- Timestamp: 2019-02-12 19:15:48 +0000 UTC