Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
Microsoft SCCM Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user registered a device and requested a Microsoft Configuration Manager policy.
Attacker's Goals
An attacker aims to extract plaintext credentials of the Network Access Account (NAA) from an SCCM environment, enabling unauthorized access to resources and lateral movement within the network.
Investigative actions
- Verify the activity with the performing user.
- Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts.
- Look for unusual logins using the Network Access Account (NAA), on systems or at times that deviate from normal patterns.
- Looking for signs of credential extraction, such as tools or scripts.