with Windows Defender ATP on a windows 2019 server that is configured / managed by Foreman with Puppet, we are seeing the :\ProgramData\PuppetLabs\puppet\cache\lib\templates\init.ps1 start and create a file.
powershell created file v0atdwrm.dll
then a message that
AutoKMS Hacktool was prevented
AutoKMS malware was prevented on IIS Web Server
My question… is the creation of this DLL v0atdwrm.dll normal for this process?
Also does this happen each time puppet agent communicates back to foreman?
thanks in advance