When a username includes a dollar $ symbol (e.g. a GMSA one), the command for Remote Execution of a pattern step script is substituting it for a Colon :, which can't be executed, and Windows Defender alerts for Alternate Data Stream (ADS)DescriptionWhen a username includes a dollar "$" symbol (e.g. a GMSA one), the command for Remote Execution of a pattern step script is substituting it for a Colon ":", which can't be executed, and Windows Defender alerts for Alternate Data Stream (ADS) Patterns try to run e.g.c:\temp\devinstance\discomid\NETDISCO_gmsaSN:ConfirmAzureVM.ps1instead ofc:\temp\devinstance\discomid\NETDISCO_gmsaSN$\ConfirmAzureVM.ps1 the full command logged will look something like:cmd /c "chcp 65001 & powershell.exe -ExecutionPolicy Bypass c:\temp\devinstance\discomid\NETDISCO_gmsaSN:ConfirmAzureVM.ps1 > \\127.0.0.1\c$\temp\devinstance\discomid\NETDISCO_gmsaSN$\psscript_output_6e981b66-a77c-4ad2-bc86-26c9c77d5045.txt 2>&1" The line of code doing the substitution is only supposed to be turning \\target\c$ into c:\, but the folder path also includes the instance name, mid server name, and MID Server service Username, and the username may include a dollar in it as well, which is a valid username, and usual when a Group Managed Service Account user is used. This has been seen with the "Windows OS - Servers" pattern, several steps: Retrieve EC2 Details - getEC2Detailsv3.ps1, Put script checking if this server is running on Azure / Run the script - ConfirmAzureVM.ps1, and Utah is adding a 3rd one getEC2DetailsWithIPv6.ps1.On "MSSQL DB on Windows" pattern, step "Put CPU util step", the put file operation also runs its script in the same way. In addition to not working, this can lead to Windows Defender alerting for "Process execution from an alternate data stream (ADS)", due to the command we try to run ending up looking something like it may be the syntax for specifying the ADS of a file/folder, that does use colons. This is a false alert. ADS is not being used.Steps to Reproduce 1/ Install a MID Server, running as a service user that has a dollar as part of the username. e.g. a GMSA user2/ Discover a Windows server3/ You will see the "Windows OS - Servers" pattern run, and MID Server agent log with mid.log.level=true will should the bad path we generate. e.g.2023-01-18 13:59:01 Tmp dir is c:\temp\devinstance\discomid\NETDISCO_gmsaSN: leading to errors like: 2023-01-18T13:59:36.956+0100 DEBUG (Worker-Interactive:HorizontalDiscoveryProbe-5295461c1b64e1904cbe7885464bcbc9) [APowerShellProvider:587] (72)APowerShellProvider - Command result:c:\temp\devinstance\discomid\NETDISCO_gmsaSN:ConfirmAzureVM.ps1 : The term 'c:\temp\devinstance\discomid\NETDISCO_gmsaSN:ConfirmAzureVM.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At line:1 char:1+ c:\temp\devinstance\discomid\NETDISCO_gmsaSN:ConfirmAzureVM.ps1+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (c:\temp\devinstance\disco...firmAzureVM.p s1:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Meanwhile Windows Defender for Enpoints may alerts for:"Process execution from an alternate data stream (ADS)"WorkaroundThis problem is currently under review and targeted to be fixed in a future release. Subscribe to this Known Error article to receive notifications when more information will be available. Make following change in WMIFileOperations.psm1 MID Server Script File [ecc_agent_script_file], as part of update set, and remember to revert this back to the out-of-box version once the official fix for this problem is applied by upgrading: function uncPathToLocalPath {param([string] $uncPath)$uncPath = $uncPath -replace '\\\\.*?\\', '';$uncPath = $uncPath.Replace('$', ':');return $uncPath;} to function uncPathToLocalPath {param([string] $uncPath)$uncPath = $uncPath -replace '\\\\.*?\\', '';$uncPath = $uncPath -replace '(.*?)\$(.*)', '$1:$2';return $uncPath;}Related Problem: PRB1476595