July 9, 2021

Vague Microsoft ATA Alert

Trying to crowdsource some info or where/what to look into on this.


Got a super vague alert from ATA this morning, which historically has been very good about the info provided. But today I received…

“Remote execution attempt detected” – OK you got my attention

Source – Random user’s Vm

Target – Our PDC

Keyword “attempted remote creation of one or more services” – what services?


Log into ATA and it lists the VM —-> PDC and then everything else says unknown…

Unknown account, unknown service(s), unknown result.

Checked with the user and all they are doing is looking at a word document and weren’t even at their machine when this happened.

Anyone out there able to help me get a bead on wtf this is/was or is it looking like some wonky false positive cause by a service on the VM?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.