Apr 26 2019
- last edited on
Nov 30 2021
One of our customers is using the Microsoft ATA for some time now. We noticed several "Remote execution attempts detected" alerts. This could be malicious or legitimate usage. To verify if this is a false positive, one of the first things you would check is who launched the wmi queries and which wmi cmdlets/methods were used. Unfortunately this information is not available.
Checking the Audit policy of the DC's they seem to be ok using the audit policy script. Could somebody specify which audit policy should be enabled to have this type of visibility? Or does this depend on other prerequisites?
Apr 29 2019 09:20 AM
Yes, sometimes this is possible due to certain things being encrypted, such as WinRM. On Azure ATP side, we have Event Tracing for Windows (ETW) which sometimes can help us see a larger picture. However ATA, due to architecture and performance constraints, doesn't have ETW as a data source today.
The Advanced Audit Policy settings are great to confirm, but they will only confirm you have access to the NTLM logs of the DC, as well as other things like Security Group modification and so forth. Having those properly configured helps, just not in this particular case, unfortunately.
This said, the best thing to do is figure out if the source computer means anything to you. Is it a Admin machine? Is it a AAD Connect or other management server that should be executing remote code execution against a DC?