Our Security department is asking information about the following script:
"The two event ids responsible are eventid 4624 and eventid 4104. While eventid 4624 is a successful logon and can’t be blamed by itself. We think the event id 4104 generated by running the following script contributed to spikes on both events.
Is it a script
- Configuration Manager?
What does this script do? I saw the root of CMPivot (7dc6b6f1-e7f6-43c1-96e0-e1d16bc25c14)
Should this script, this folder excluded from the scan? per folder? per process? other?
the folder c:\windows\ccm is excluded as folder but not the processes inside it!!!
FireEye is the anti-virus, etc...
I checked also
C:\Windows\ccm\logs\scripts.log and this script does not appear in it!!!