Suspicious access of the System Management Container

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-06-24
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

Detector Tags

Microsoft SCCM Analytics

ATT&CK Tactic

Reconnaissance (TA0043)

ATT&CK Technique

Gather Victim Network Information (T1590)

Severity

Low

Description

A user accessed the System Management container, which may be an indication of a reconnaissance for site servers.

Attacker's Goals

An attacker is attempting to enumerate Microsoft Configuration Manager and identify accessible site servers.

Investigative actions

  • Look for the suspicious LDAP query that may trigger this event.
  • Check if the process executes LDAP search queries as part of its normal behavior.
  • Investigate any other potentially suspicious behavior from the compromised user.
  • Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.