Forum Discussion

Iron Contributor

Jul 12, 2019

LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

Yesterday evening, I saw many simultaneous AATP alerts that resembled the following example: User and group membership reconnaissance (SAMR) was detected in n******* ...

EliOfek

Microsoft

Jul 14, 2019

Joe Stern , The info provided does not show any correlation between the alerts and the actions described happening by defender, unless you can tell me that defender created these queries/network traffic. Accessing the registry or modifying certs is not related to this alert...