Detecting remote code execution with Microsoft ATA

Do you know how many cloud applications are being accessed by your employees?
Are your employees sharing valuable information via emails and attachments?
Is Your Help Desk Inundated with Password Reset Requests Over and Over?
Get Started With A FREE Trial Get Started With A FREE Trial Request a Consultation Request a Consultation Download FREE MOBILE DEVICE SECURITY REPORT

Attackers can often use legitimate tools to take malicious actions. There have been recent incidents that have been perpetrated using a known technique known  as  Remote Code Execution (RCE) to spread malware inside a targeted network. This attack can be executed using legitimate tools such as WMIC and/or PSExec.

Microsoft ATA

In the screenshot you can see ATA has detected an RCE attempt leveraging the ContosoAdmin account, which executed the command, the source computer (; our Kali machine) and the WMI command passed (mkdir FLAG_PLANTED).  This information is very valuable for starting the investigation.

These attackers like to use RCE instead of Remote Desktop Protocol (RDP) to connect to machines as it gives them stealth access and take control or harvest credentials on remote machines, including Domain Controllers (DC).

Once an attacker can execute arbitrary commands on a DC they don’t just have ownership of that DC, but they control the entire Active Directory Forest. RCE remains a significant threat  which allows an attacker to run arbitrary code on the destination machine.

However, what attackers may not know is that this technique can be detected with Microsoft Advanced Threat Analytics (ATA). Historically, Microsoft ATA has been able to detect RCE with PsExec.  In version ATA 1.8, the RCE detection capability was extended to include the Windows Management Instrumentation (WMI).  Having this visibility of remote execution on DCs is a critical detection trigger to start an investigation.


For more information on Microsoft ATA or Enterprise Mobility + Security visit

(Visited 189 times, 1 visits today)