LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

Question

Yesterday evening, I saw many simultaneous AATP alerts that resembled the following example:

User and group membership reconnaissance (SAMR) was detected in n*******

An actor on PCABC-15 sent suspicious SAMR queries to DC04, searching for: all users in n*****.com, and also 33 sensitive users

All of the alerting computers were configured to run this specific Windows Defender Attack Surface Reduction Rule:

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

The timelines at https://securitycenter.windows.com show that, at the time the incidents were reported on the domain controllers, LSASS.EXE on the alerting computers had modified the value of HKLM\SOFTWARE\Microsoft\SystemCertificate\My\Certificates\.

I believe this is a false positive. Hopefully the AATP and WD-ATP teams can combine to adjust the sensors.

eliofek · Answer

Joe Stern&nbsp;, The info provided does not show any correlation between the alerts and the actions described happening by defender, unless&nbsp; you can tell me that defender created these queries/network traffic. Accessing the registry or modifying certs is not related to this alert...
&nbsp;

Forum Discussion

LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

User and group membership reconnaissance (SAMR) was detected in n*******

An actor on PCABC-15 sent suspicious SAMR queries to DC04, searching for: all users in n*****.com, and also 33 sensitive users

1 Reply