We know that attackers can often use legitimate tools to take malicious actions. Recent incidents have been perpetrated using a known technique called Remote Code Execution (RCE) to spread malware inside a target network. This technique can be executed using legitimate tools such asWMICand/orPSExec.
However, what attackers may not know is that this technique can be detected with Microsoft Advanced Threat Analytics (ATA). Historically, ATA has been able to detect RCE with PsExec. In versionATA 1.8, the RCE detection capability was extended to include the Windows Management Instrumentation (WMI). Having this visibility of remote execution on DCs is a critical detection trigger to start an investigation.