LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

Joe Stern · ‎Jul 12 2019

Yesterday evening, I saw many simultaneous AATP alerts that resembled the following example:

User and group membership reconnaissance (SAMR) was detected in n*******

An actor on PCABC-15 sent suspicious SAMR queries to DC04, searching for: all users in n*****.com, and also 33 sensitive users

All of the alerting computers were configured to run this specific Windows Defender Attack Surface Reduction Rule:

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

The timelines at https://securitycenter.windows.com show that, at the time the incidents were reported on the domain controllers, LSASS.EXE on the alerting computers had modified the value of HKLM\SOFTWARE\Microsoft\SystemCertificate\My\Certificates\.

I believe this is a false positive. Hopefully the AATP and WD-ATP teams can combine to adjust the sensors.

Eli Ofek · ‎Jul 14 2019

@Joe Stern , The info provided does not show any correlation between the alerts and the actions described happening by defender, unless you can tell me that defender created these queries/network traffic. Accessing the registry or modifying certs is not related to this alert...

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

User and group membership reconnaissance (SAMR) was detected in n*******

An actor on PCABC-15 sent suspicious SAMR queries to DC04, searching for: all users in n*****.com, and also 33 sensitive users

Re: LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert