User added to the SMS Admins local group

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-24

Activation Period	14 Days
Training Period	30 Days
Test Period	3 Hours
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Windows Event Collector OR XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags	Microsoft SCCM Analytics
ATT&CK Tactic	Persistence (TA0003) Privilege Escalation (TA0004)
ATT&CK Technique	Account Manipulation (T1098) Valid Accounts (T1078)
Severity	Low

A user was added to the SMS Admins local group. This may indicate a potential attack targeting the Microsoft Configuration Manager infrastructure.

Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.

Verify the activity with the performing user.
Confirm that the group addition was not accidental.
Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts.
Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

A user was added to the SMS Admins group and removed within a short period of time, which may be a sign of compromise.

Gain administrative control over Microsoft Configuration Manager to facilitate lateral movement, deploy malicious payloads, or exfiltrate data.

Verify the activity with the performing user.
Confirm that the group addition was not accidental.
Review related logs (e.g., Active Directory, SCCM logs) to identify the source of the modification and associated accounts.
Investigate the user's activity before and after the addition to determine if any unauthorized actions or privilege escalation attempts occurred.