PAM - MS Defender quarantined a file being created in the Admin$ share
search cancel

PAM - MS Defender quarantined a file being created in the Admin$ share

book

Article ID: 275896

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Our Microsoft defender folks are seeing below command being run on windows hosts.  They want to know details about this command. Like purpose of this run etc. If you have detail can you share. I am attaching an excel sheet of the windows logs.

 

‘C:\Windows\System32\cmd.exe cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1697223243.95 2>&1’

Environment

Any PAM Version

Cause

This file was flagged as questionable from MS Defender

Resolution

 The Windows Remote Target Application will use this temporary file to validate it has access to the Admin$ share. It should be allowed.

Powered by Wolken Software