Trying to crowdsource some info or where/what to look into on this.
Got a super vague alert from ATA this morning, which historically has been very good about the info provided. But today I received…
“Remote execution attempt detected” – OK you got my attention
Source – Random user’s Vm
Target – Our PDC
Keyword “attempted remote creation of one or more services” – what services?
Log into ATA and it lists the VM —-> PDC and then everything else says unknown…
Unknown account, unknown service(s), unknown result.
Checked with the user and all they are doing is looking at a word document and weren’t even at their machine when this happened.
Anyone out there able to help me get a bead on wtf this is/was or is it looking like some wonky false positive cause by a service on the VM?