LSASS performing registry modifications (modifiying system certificates) triggers SAMR alert

Occasional Contributor

Yesterday evening, I saw many simultaneous AATP alerts that resembled the following example:


User and group membership reconnaissance (SAMR) was detected in n*******



An actor on PCABC-15 sent suspicious SAMR queries to DC04, searching for: all users in n*****.com, and also 33 sensitive users



All of the alerting computers were configured to run this specific Windows Defender Attack Surface Reduction Rule:


Block credential stealing from the Windows local security authority subsystem (lsass.exe)9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2


The timelines at show that, at the time the incidents were reported on the domain controllers, LSASS.EXE on the alerting computers had modified the value of HKLM\SOFTWARE\Microsoft\SystemCertificate\My\Certificates\.


I believe this is a false positive. Hopefully the AATP and WD-ATP teams can combine to adjust the sensors.


1 Reply

@Joe Stern , The info provided does not show any correlation between the alerts and the actions described happening by defender, unless  you can tell me that defender created these queries/network traffic. Accessing the registry or modifying certs is not related to this alert...