Jul 12 2019 05:42 AM
Yesterday evening, I saw many simultaneous AATP alerts that resembled the following example:
|
|
All of the alerting computers were configured to run this specific Windows Defender Attack Surface Reduction Rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 |
The timelines at https://securitycenter.windows.com show that, at the time the incidents were reported on the domain controllers, LSASS.EXE on the alerting computers had modified the value of HKLM\SOFTWARE\Microsoft\SystemCertificate\My\Certificates\.
I believe this is a false positive. Hopefully the AATP and WD-ATP teams can combine to adjust the sensors.
Jul 14 2019 02:14 AM
@Joe Stern , The info provided does not show any correlation between the alerts and the actions described happening by defender, unless you can tell me that defender created these queries/network traffic. Accessing the registry or modifying certs is not related to this alert...