LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

%3CLINGO-SUB%20id%3D%22lingo-sub-752180%22%20slang%3D%22en-US%22%3ELSASS%20performing%20registry%20modifications%20(modifiying%20system%20certificates)%20triggers%20SAMR%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752180%22%20slang%3D%22en-US%22%3E%3CP%3EYesterday%20evening%2C%20I%20saw%20many%20simultaneous%20AATP%20alerts%20that%20resembled%20the%20following%20example%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CH1%20id%3D%22toc-hId-1988918806%22%20id%3D%22toc-hId-1988918807%22%20id%3D%22toc-hId-1988918807%22%3EUser%20and%20group%20membership%20reconnaissance%20(SAMR)%20was%20detected%20in%20n*******%3C%2FH1%3E%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CH4%20id%3D%22toc-hId--1152778670%22%20id%3D%22toc-hId--1152778669%22%20id%3D%22toc-hId--1152778669%22%3EAn%20actor%20on%20PCABC-15%20sent%20suspicious%20SAMR%20queries%20to%20DC04%2C%20searching%20for%3A%20all%20users%20in%20n*****.com%2C%20and%20also%2033%20sensitive%20users%3C%2FH4%3E%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20of%20the%20alerting%20computers%20were%20configured%20to%20run%20this%20specific%20Windows%20Defender%20Attack%20Surface%20Reduction%20Rule%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EBlock%20credential%20stealing%20from%20the%20Windows%20local%20security%20authority%20subsystem%20(lsass.exe)%3C%2FTD%3E%3CTD%3E9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20timelines%20at%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%3C%2FA%3Eshow%20that%2C%20at%20the%20time%20the%20incidents%20were%20reported%20on%20the%20domain%20controllers%2C%20LSASS.EXE%20on%20the%20alerting%20computers%20had%20modified%20the%20value%20of%20%3CSTRONG%3EHKLM%5CSOFTWARE%5CMicrosoft%5CSystemCertificate%5CMy%5CCertificates%5C%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20this%20is%20a%20false%20positive.%20Hopefully%20the%20AATP%20and%20WD-ATP%20teams%20can%20combine%20to%20adjust%20the%20sensors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-753843%22%20slang%3D%22en-US%22%3ERe%3A%20LSASS%20performing%20registry%20modifications%20(modifiying%20system%20certificates)%20triggers%20SAMR%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-753843%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54698%22%20target%3D%22_blank%22%3E%40Joe%20Stern%3C%2FA%3E%26nbsp%3B%2C%20The%20info%20provided%20does%20not%20show%20any%20correlation%20between%20the%20alerts%20and%20the%20actions%20described%20happening%20by%20defender%2C%20unless%26nbsp%3B%20you%20can%20tell%20me%20that%20defender%20created%20these%20queries%2Fnetwork%20traffic.%20Accessing%20the%20registry%20or%20modifying%20certs%20is%20not%20related%20to%20this%20alert...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Yesterday evening, I saw many simultaneous AATP alerts that resembled the following example:

 

User and group membership reconnaissance (SAMR) was detected in n*******

 

 

An actor on PCABC-15 sent suspicious SAMR queries to DC04, searching for: all users in n*****.com, and also 33 sensitive users

 

 

All of the alerting computers were configured to run this specific Windows Defender Attack Surface Reduction Rule:

 

Block credential stealing from the Windows local security authority subsystem (lsass.exe)9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

 

The timelines at https://securitycenter.windows.com show that, at the time the incidents were reported on the domain controllers, LSASS.EXE on the alerting computers had modified the value of HKLM\SOFTWARE\Microsoft\SystemCertificate\My\Certificates\.

 

I believe this is a false positive. Hopefully the AATP and WD-ATP teams can combine to adjust the sensors.

 

1 Reply
Highlighted

@Joe Stern , The info provided does not show any correlation between the alerts and the actions described happening by defender, unless  you can tell me that defender created these queries/network traffic. Accessing the registry or modifying certs is not related to this alert...