Vague ATA alert

%3CLINGO-SUB%20id%3D%22lingo-sub-2532219%22%20slang%3D%22en-US%22%3EVague%20ATA%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2532219%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20have%20any%20insight%20on%20how%20I%20should%20approach%20this%20alert%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ERandom%20VM%20attempted%20remote%20execution%20toward%20a%20DC%20but%20absolutely%200%20info%20on%20what%20occurred%20to%20trigger%20this%20alert%2C%20but%20something%20must%20have%20happened%20to%20get%20it%20to%20trigger%20so%20I%20am%20a%20bit%20lost%20at%20what%20to%20look%20at.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DBR14_0-1625841414571.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294647i8C79A1DE04B3408C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22DBR14_0-1625841414571.png%22%20alt%3D%22DBR14_0-1625841414571.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Does anyone have any insight on how I should approach this alert? 

Random VM attempted remote execution toward a DC but absolutely 0 info on what occurred to trigger this alert, but something must have happened to get it to trigger so I am a bit lost at what to look at.

DBR14_0-1625841414571.png

 

1 Reply
MDI will never give you process information as it's not monitoring the endpoint, just the DC. The Actor identity is not always visible in the protocol (When it is, MDI will give you the info). Sometimes it might even be the machine account...
In addition, for remote execution, some of the protocols use encryption, so we only see that something happened, and not what exactly, which will cause us to alert in "best effort mode".
Your best option is if you have MDE on this endpoint, as it does monitor it and might give you more info about which process might have triggered this around this time.