Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
30 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
Microsoft SCCM Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user generated suspicious file activity within the SCCMContentLib shared folder, which is considered a high-value target for attackers.
Attacker's Goals
Attackers aim to exploit misconfigurations in Microsoft Configuration Manager to access sensitive data, such as credentials and certificates, stored within the SCCMContentLib. This access can facilitate lateral movement and further compromise within the network.
Investigative actions
- Verify the activity with the performing user.
- Check if SCCM admin credentials were accessed or exfiltrated.
- Review SCCM logs to identify unauthorized queries or modifications.
- Investigate recent access to the extracted files and their contents.
- Check other security logs (e.g., Windows Event Logs, SIEM alerts) for suspicious behavior.
- Identify the originating system and assess if it has been compromised.
- Monitor for any further lateral movement or privilege escalation attempts.