Attempted to query private data using key G$MNSEcryptionKey from XXXXXX

%3CLINGO-SUB%20id%3D%22lingo-sub-1026425%22%20slang%3D%22en-US%22%3EAttempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1026425%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20getting%20the%20message%3A%20%22%3CFONT%3EAttempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%22%20in%20Azure%20ATP%20alerts.%20There%20is%20not%20information%20in%20the%20web%20about%20what%20the%20key%20is.%26nbsp%3B%20Could%20someone%20give%20a%20hand%20to%20get%20a%20reference%20or%20explanation%20about%20this%3F%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1027262%22%20slang%3D%22en-US%22%3ERe%3A%20Attempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1027262%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F465862%22%20target%3D%22_blank%22%3E%40ECuadra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20customer%20who%20ran%20into%20the%20same%20message%20share%20this%20info%2C%20you%20might%20check%20if%20it%20applies%20here%20as%20well%3A%3C%2FP%3E%0A%3CP%3E%22We%26nbsp%3B%3CSPAN%3Efound%20the%20explanation%3A%20The%20G%24MNSEncryptionKey%20is%20from%20a%20old%20Novell%20Netware%20installation%20and%20the%20event%20occurs%20while%20the%20password%20of%20this%20user%20is%20changed.%22%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Ehope%20it%20helps.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1037185%22%20slang%3D%22en-US%22%3ERe%3A%20Attempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1037185%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%2C%26nbsp%3BI%20did%20some%20inquiries%20directly%20with%20the%20customer%20and%20they%20are%20not%20using%20any%20Novell%20installation.%20The%20error%20has%20appeared%20twice%20and%20it%20is%20coming%20from%20a%20Windows%2010%20Enterprise%20computer%20(17134).%20Do%20you%20think%20there%20is%20a%20legacy%20application%20that%20could%20be%20generating%20this%20alert%3F.%20At%20this%20moment%2C%20I%20am%20collecting%20more%20info.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1038914%22%20slang%3D%22en-US%22%3ERe%3A%20Attempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1038914%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F465862%22%20target%3D%22_blank%22%3E%40ECuadra%3C%2FA%3E%26nbsp%3B%2C%20I%20did%20not%20get%20any%20other%20reports%20besides%20the%20Novell%20incident%20I%20already%20mentioned.%3C%2FP%3E%0A%3CP%3EAt%20this%20point%20this%20can%20be%20anything%20from%20a%20legit%20app%20to%20malicious%20code...%3C%2FP%3E%0A%3CP%3EYou%20should%20investigate%20to%20try%20and%20isolate%20the%20source%20on%20this%20machine.%3C%2FP%3E%0A%3CP%3EI%20would%20appreciate%20if%20you%20continue%20to%20share%20once%20you%20have%20more%20info%2Fclues%2C%20this%20is%20interesting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEli%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047610%22%20slang%3D%22en-US%22%3ERe%3A%20Attempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047610%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%2Cthe%20alert%20is%20displayed%20when%20the%20user%20has%20logged%20into%20the%20computer%20or%20during%20the%20day.%20There%20is%20not%20a%20clue%20it%20is%20caused%20by%20a%20legacy%20application.%20In%20this%20case%2C%20we%20have%20to%20review%20the%20computer%20event%20viewer.%20Is%20it%20possible%20to%20get%20more%20details%20throught%20Azure%20ATP%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047656%22%20slang%3D%22en-US%22%3ERe%3A%20Attempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047656%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20the%20original%20message%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20320px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F159993iF616AA17259FF6B9%2Fimage-dimensions%2F320x34%3Fv%3D1.0%22%20width%3D%22320%22%20height%3D%2234%22%20alt%3D%22Capture.JPG%22%20title%3D%22Capture.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFurther%20investigation%20about%20LsaRPC%20protocol%20and%20Azure%20ATP%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fmonitored-activities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fmonitored-activities%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20this%20note%2C%20there%20is%20not%20enough%20information%20what%20this%20activity%20could%20be%3A%20an%20user%20authentication%3F%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EPrivate%20Data%20Retrieval%3C%2FTD%3E%3CTD%3EUser%20attempted%2Fsucceeded%20to%20query%20private%20data%20using%20LSARPC%20protocol.%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047717%22%20slang%3D%22en-US%22%3ERe%3A%20Attempted%20to%20query%20private%20data%20using%20key%20G%24MNSEcryptionKey%20from%20XXXXXX%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F465862%22%20target%3D%22_blank%22%3E%40ECuadra%3C%2FA%3E%26nbsp%3B%2C%20All%20the%20information%20AATP%20has%20will%20be%20in%20the%20excel%20you%20can%20export%20from%20the%20alert.%3C%2FP%3E%0A%3CP%3EThere%20is%20no%20more%20info%20in%20the%20DB%20for%20this%20alert%20that%20is%20not%20in%20the%20excel.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm getting the message: "Attempted to query private data using key G$MNSEcryptionKey from XXXXXX" in Azure ATP alerts. There is not information in the web about what the key is.  Could someone give a hand to get a reference or explanation about this?

6 Replies

@ECuadra 

Another customer who ran into the same message share this info, you might check if it applies here as well:

"We found the explanation: The G$MNSEncryptionKey is from a old Novell Netware installation and the event occurs while the password of this user is changed."

 

hope it helps.

Hi @Eli Ofek, I did some inquiries directly with the customer and they are not using any Novell installation. The error has appeared twice and it is coming from a Windows 10 Enterprise computer (17134). Do you think there is a legacy application that could be generating this alert?. At this moment, I am collecting more info.

@ECuadra , I did not get any other reports besides the Novell incident I already mentioned.

At this point this can be anything from a legit app to malicious code...

You should investigate to try and isolate the source on this machine.

I would appreciate if you continue to share once you have more info/clues, this is interesting.

 

Thanks,

 

Eli

@Eli Ofek,the alert is displayed when the user has logged into the computer or during the day. There is not a clue it is caused by a legacy application. In this case, we have to review the computer event viewer. Is it possible to get more details throught Azure ATP?

This is the original messageCapture.JPG

Further investigation about LsaRPC protocol and Azure ATP: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/monitored-activities

 

According to this note, there is not enough information what this activity could be: an user authentication? 

Private Data RetrievalUser attempted/succeeded to query private data using LSARPC protocol.

@ECuadra , All the information AATP has will be in the excel you can export from the alert.

There is no more info in the DB for this alert that is not in the excel.