Potential extraction of NAA Account Credentials in Microsoft Configuration Manager

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-06-15
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

3 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • Azure Audit Log
  • Requires:
    • AzureAD
  • Requires:
    • AzureAD Audit Log
  • Requires:
    • Microsoft Graph Logs
  • Requires:
    • Office 365 Audit
  • Requires:
    • Okta
  • Requires:
    • Okta Audit Log
  • Requires one of the following data sources:
    • Palo Alto Networks Firewall EAL Logs
      OR
    • Palo Alto Networks Firewall threat Logs
  • Requires one of the following data sources:
    • Palo Alto Networks Global Protect
      OR
    • Third-Party VPNs
  • Requires:
    • XDR Agent
  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Analytics

Detector Tags

Microsoft SCCM Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

Attacker's Goals

An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.

Investigative actions

  • Verify the activity with the performing user.
  • Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts.
  • Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns.
  • Looking for signs of credential extraction, such as tools or scripts.

Variations

Suspicious extraction of NAA Account Credentials in Microsoft Configuration Manager

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Possible user attempt to deobfuscate Network Access Account (NAA) credentials in Microsoft Configuration Manager. This may indicate a compromised account.

Attacker's Goals

An attacker may extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment to access resources and lateral movement within the network.

Investigative actions

  • Verify the activity with the performing user.
  • Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts.
  • Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns.
  • Looking for signs of credential extraction, such as tools or scripts.