Forum Discussion
Attempted to query private data using key G$MNSEcryptionKey from XXXXXX
Hi EliOfek, I did some inquiries directly with the customer and they are not using any Novell installation. The error has appeared twice and it is coming from a Windows 10 Enterprise computer (17134). Do you think there is a legacy application that could be generating this alert?. At this moment, I am collecting more info.
MicrosoftECuadra , I did not get any other reports besides the Novell incident I already mentioned.
At this point this can be anything from a legit app to malicious code...
You should investigate to try and isolate the source on this machine.
I would appreciate if you continue to share once you have more info/clues, this is interesting.
Thanks,
Eli
This is the original message
Further investigation about LsaRPC protocol and Azure ATP: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/monitored-activities
According to this note, there is not enough information what this activity could be: an user authentication?
Private Data Retrieval User attempted/succeeded to query private data using LSARPC protocol. EliOfek,the alert is displayed when the user has logged into the computer or during the day. There is not a clue it is caused by a legacy application. In this case, we have to review the computer event viewer. Is it possible to get more details throught Azure ATP?