Remove From My Forums

Should ATA report wmic and psexec executions with access denied against a DC?

Question
0

Sign in to vote

Hi,

I'm new to ATA and started testing it in our domain. ATA reports DNS recon and I tried running wmic and psexec commands as decribed in the ATA playbook:

wmic /node:dc1 process call create “net user /add InsertedUser pa$$w0rd1”

psexec \\dc1 -accepteula net localgroup “Administrators” InsertedUser /add

For both I get an access denied (which is correct for the user I'm testing with). Shouldn't those tries also get reported in ATA? I don't see any message so far for those attempts.

Thursday, June 25, 2020 3:56 PM

Answers

1

Sign in to vote
Hello,

To my knowledge, if the access is denied by running the commands, it won't be reported in ATA.

You may find the info from the event logs in Windows.

How about running the commands successfully, and checking the ATA report?

Best regards,

Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by Dr.Zoidberg Friday, June 26, 2020 6:15 AM
Friday, June 26, 2020 2:53 AM

All replies

1

Sign in to vote
Hello,

To my knowledge, if the access is denied by running the commands, it won't be reported in ATA.

You may find the info from the event logs in Windows.

How about running the commands successfully, and checking the ATA report?

Best regards,

Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by Dr.Zoidberg Friday, June 26, 2020 6:15 AM
Friday, June 26, 2020 2:53 AM
0

Sign in to vote

Hi Andy,

thanks for your reply. If the commands are successfull they will be reported.

I was just thinking that an attacker might try to run such commands without success - yet. And it would be good to know if that happens before they are successfull later.

Best regards
Frank

Friday, June 26, 2020 6:15 AM
0

Sign in to vote

Are there any health issues reported in ATA's portal?

is the target attacked DC is actively monitored by a gateway?

Are there any exclusions set for the attacking user/machine?

Friday, June 26, 2020 10:23 PM
0

Sign in to vote

> Are there any health issues reported in ATA's portal?

no

> is the target attacked DC is actively monitored by a gateway?

yes, other recon-tests are reported correctly

> Are there any exclusions set for the attacking user/machine?

no

So should ATA report those tries even if not successful?

Tuesday, July 7, 2020 2:44 PM
0

Sign in to vote

As far as I remember, for psexec, it should report it only if the authentication to the DC was a success.

if you run psexec with a successful auth, does it alert ?

Tuesday, July 7, 2020 3:04 PM
0

Sign in to vote

I can not try this yet but I guess that's expected behavior. Thanks!

Tuesday, July 7, 2020 3:13 PM
0

Sign in to vote

Hello,

To make it clear, I write a summary here.

Issue

========

Running wmic and psexec commands as decribed in the ATA playbook, and both I get an access denied:

wmic /node:dc1 process call create “net user /add InsertedUser pa$$w0rd1”

psexec \\dc1 -accepteula net localgroup “Administrators” InsertedUser /add

They are not get reported in ATA.

Resolution

========

If the access is denied by running the commands, it won't be reported in ATA.

You may find the info from the event logs in Windows.

How about running the commands successfully, and checking the ATA report?

Best regards,

Andy Liu

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, July 17, 2020 4:08 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Should ATA report wmic and psexec executions with access denied against a DC?

Question

Answers

All replies