@Valon_Kolica 

@keith_be 

 

Yes, sometimes this is possible due to certain things being encrypted, such as WinRM.  On Azure ATP side, we have Event Tracing for Windows (ETW) which sometimes can help us see a larger picture.  However ATA, due to architecture and performance constraints, doesn't have ETW as a data source today. 

 

The Advanced Audit Policy settings are great to confirm, but they will only confirm you have access to the NTLM logs of the DC, as well as other things like Security Group modification and so forth.  Having those properly configured helps, just not in this particular case, unfortunately.

 

This said, the best thing to do is figure out if the source computer means anything to you. Is it a Admin machine? Is it a AAD Connect or other management server that should be executing remote code execution against a DC?

www.000webhost.com