PAM - MS Defender quarantined a file being created in the Admin$ share
Article ID: 275896
CA Privileged Access Manager (PAM)
Our Microsoft defender folks are seeing below command being run on windows hosts. They want to know details about this command. Like purpose of this run etc. If you have detail can you share. I am attaching an excel sheet of the windows logs.
‘C:\Windows\System32\cmd.exe cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1697223243.95 2>&1’
Any PAM Version
This file was flagged as questionable from MS Defender
The Windows Remote Target Application will use this temporary file to validate it has access to the Admin$ share. It should be allowed.