Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Defender for Identity

Task 6.2: Remote code execution attempts

Defender for Identity detects PSexec, Remote WMI, and PowerShell connections from a client machine to a domain controller. Attackers can run remote commands on your domain controller or Active Directory Federation Services (AD FS) server to create persistence, collect data or perform a denial of service (DOS).

Tools used in this test: Sysinternals downloads

  1. In the PowerShell window on WIN6, run:

     winrs /r:DC01 "powershell -NonInteractive -OutputFormat xml -NoProfile -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAHIAZQAgAC0AUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQAsAFMAdABhAHQAdQBzACwAUABhAHQAaAAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIABSAE8ATwBUAFwAYwBpAG0AdgAyACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABDAG8AbgB0AGkAbgB1AGUAIAB8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBDAFMAVgAgAC0ATgBvAFQAeQBwAGUASQBuAGYAbwByAG0AYQB0AGkAbwBuAA=="

For more information, review Remote code execution attempt (external ID 2019).