Unusual CIM repository file access

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-06-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

Microsoft SCCM Analytics

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Low

Description

An uncommon process accessed the CIM repository file, potentially to retrieve stored NNA credentials for unauthorized use.

Attacker's Goals

  • Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2).
  • If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems.
  • Determine whether this was a legitimate action.

Investigative actions

  • Follow process, user, and host activities.
  • Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources.
  • Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption.
  • Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.

Variations

Suspicious CIM repository file access

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

An unusual process with suspicious characteristics accessed the CIM repository file, causing this attempt to be flagged as suspicious.

Attacker's Goals

  • Attackers can retrieve plaintext domain credentials, which may be used for proxying tools into the environment over command and control (C2).
  • If the credentials are overprivileged, this technique may enable lateral movement to other clients or sensitive systems.
  • Determine whether this was a legitimate action.

Investigative actions

  • Follow process, user, and host activities.
  • Investigate if the retrieved credentials match any known accounts or if there is any abnormal access to distribution points or other critical resources.
  • Verify the presence of unauthorized tools or processes like SharpDPAPI or SharpSCCM that could have been used for credential extraction or decryption.
  • Review relevant system logs (event logs, SCCM logs, etc.) for any signs of unusual activity or access patterns related to the NAA or other credentials.