Occasional Contributor



One of our customers is using the Microsoft ATA for some time now. We noticed several "Remote execution attempts detected" alerts. This could be malicious or legitimate usage. To verify if this is a false positive, one of the first things you would check is who launched the wmi queries and which wmi cmdlets/methods were used. Unfortunately this information is not available. 

  • accounts: Unknown
  • unknown WMI method

Checking the Audit policy of the DC's they seem to be ok using the audit policy script. Could somebody specify which audit policy should be enabled to have this type of visibility? Or does this depend on other prerequisites?


Kind regards,