LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

Occasional Contributor

Yesterday evening, I saw many simultaneous AATP alerts that resembled the following example:

 

User and group membership reconnaissance (SAMR) was detected in n*******

 

 

An actor on PCABC-15 sent suspicious SAMR queries to DC04, searching for: all users in n*****.com, and also 33 sensitive users

 

 

All of the alerting computers were configured to run this specific Windows Defender Attack Surface Reduction Rule:

 

Block credential stealing from the Windows local security authority subsystem (lsass.exe)9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

 

The timelines at https://securitycenter.windows.com show that, at the time the incidents were reported on the domain controllers, LSASS.EXE on the alerting computers had modified the value of HKLM\SOFTWARE\Microsoft\SystemCertificate\My\Certificates\.

 

I believe this is a false positive. Hopefully the AATP and WD-ATP teams can combine to adjust the sensors.

 

1 Reply

@Joe Stern , The info provided does not show any correlation between the alerts and the actions described happening by defender, unless  you can tell me that defender created these queries/network traffic. Accessing the registry or modifying certs is not related to this alert...