Nov 22 2019 09:14 AM
I'm getting the message: "Attempted to query private data using key G$MNSEcryptionKey from XXXXXX" in Azure ATP alerts. There is not information in the web about what the key is. Could someone give a hand to get a reference or explanation about this?
Nov 22 2019 01:58 PM
Another customer who ran into the same message share this info, you might check if it applies here as well:
"We found the explanation: The G$MNSEncryptionKey is from a old Novell Netware installation and the event occurs while the password of this user is changed."
hope it helps.
Nov 27 2019 02:50 PM
Hi @Eli Ofek, I did some inquiries directly with the customer and they are not using any Novell installation. The error has appeared twice and it is coming from a Windows 10 Enterprise computer (17134). Do you think there is a legacy application that could be generating this alert?. At this moment, I am collecting more info.
Nov 28 2019 01:42 PM
@ECuadra , I did not get any other reports besides the Novell incident I already mentioned.
At this point this can be anything from a legit app to malicious code...
You should investigate to try and isolate the source on this machine.
I would appreciate if you continue to share once you have more info/clues, this is interesting.
Thanks,
Eli
Dec 04 2019 10:42 AM
@Eli Ofek,the alert is displayed when the user has logged into the computer or during the day. There is not a clue it is caused by a legacy application. In this case, we have to review the computer event viewer. Is it possible to get more details throught Azure ATP?
Dec 04 2019 10:59 AM
This is the original message
Further investigation about LsaRPC protocol and Azure ATP: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/monitored-activities
According to this note, there is not enough information what this activity could be: an user authentication?
Private Data Retrieval | User attempted/succeeded to query private data using LSARPC protocol. |
Dec 04 2019 11:22 AM
@ECuadra , All the information AATP has will be in the excel you can export from the alert.
There is no more info in the DB for this alert that is not in the excel.