Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0006 ✕ technique: T1047 ✕
Show ATT&CK heatmapPotential SCCM credential harvesting using WMI detected Low 3 variations
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Microsoft SCCM AnalyticsAttacker's goals: Obtain credentials used by the SCCM service.Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.Variations
Potential SCCM credential harvesting using WMI detected from a remote machine
Medium overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential SCCM inventory query using WMI detected
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden
Potential Enumeration of SCCM User, Device, and Deployment Data via WMI
Low overridden
Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden