Forum Discussion
PowerShell script is triggering the AD alert when executing on any local server. as user or computer
Harm_Veenstra One thing I also understood that, The user who is executing the script is the local user not domain user. Its trying to collect the details from the target server but in backend some where its connecting to AD Server. And the error I am getting is like below. User and the error type.
Is the server level hardening to block the login or in the script which is trying to do get something from AD server instead of Target servers where the actual script is executing.
My expectation is that the NTLM event is coming from how the script is being called, not from the script itself.
Rather than focusing on the script content, focus on how it's being run, i.e. via something like psexec, Invoke-Command, a scheduled task, SCCM utility, etc., etc.
In theory, WMI can also be the source but the calls to Get-WmiObject and Get-CimInstance do not use such triggers (such as alternate credentials and/or impersonation levels) meaning that is irrelevant in this case. That only leaves how it's being launched.
While the script itself is not written very well, there's nothing in it that would trigger the events you're seeing.
Cheers,
Lain
- Yes Lain, We are using the BMC TrueSight Server Automation tool which push the script in 100 target servers in any directory and execute it on all 100 servers, After that Security team raise the concern like they have high volume alert which was around 4956 alerts.
