AN0623: Analytic 0623
Detects SCCM, Intune, or remote push execution spawning scripts or binaries from SYSTEM context or unusual consoles (e.g., cmtrace.exe launching PowerShell or cmd.exe).
Analyst context for executives and security teams
This analytic matters because software management tooling such as SCCM, Intune, and remote push mechanisms often has broad administrative reach across Windows endpoints. If those trusted channels spawn scripts or binaries from SYSTEM context, or from unusual consoles such as cmtrace.exe launching PowerShell or cmd.exe, the event can represent a high-consequence execution path that may bypass normal user-focused monitoring assumptions.
Executive priority
Prioritize this as a validation point for endpoint management governance and SOC readiness. Leaders should ask whether administrative deployment tools are monitored with the same rigor as interactive administrator activity, whether SYSTEM-context execution is explainable, and whether incident responders can quickly distinguish approved software operations from suspicious script or binary launch patterns. This also supports audit and compliance evidence around privileged operations on Windows endpoints.
Technical view
For Windows environments, validate monitoring for process creation where SCCM, Intune, or remote push execution chains launch scripts, command shells, PowerShell, or other binaries under SYSTEM context. Pay particular attention to unusual parent-child relationships, including examples like cmtrace.exe spawning PowerShell or cmd.exe. Because no ATT&CK detection logic is supplied, teams should build and tune locally using known management baselines, approved deployment windows, parent process lineage, account context, command-line arguments, and endpoint management activity records.
Likely telemetry
- Windows process creation events with parent/child process relationships
- Command-line arguments for PowerShell, cmd.exe, scripts, and launched binaries
- User and integrity/context data, especially SYSTEM execution
- Endpoint management activity logs from SCCM, Intune, or remote push tooling
- Host inventory and software deployment/change records
Detection direction
- Baseline legitimate SCCM, Intune, and remote push execution behavior before alerting broadly.
- Alert on unusual management-tool parent processes spawning shells, scripts, or binaries from SYSTEM context.
- Correlate process events with approved software deployment tickets, maintenance windows, and endpoint management logs to reduce false positives.
- Review parent-child chains involving uncommon consoles, including cmtrace.exe launching PowerShell or cmd.exe.
- Tune separately for administrative servers, helpdesk workflows, and standard endpoints because normal management activity may differ substantially.
Mitigation priorities
- Ensure endpoint management platforms and remote push tools are governed as privileged administration paths.
- Limit administrative rights and deployment permissions to required personnel and workflows.
- Require change control or approval evidence for broad software/script deployment activity.
- Harden and monitor Windows endpoints for suspicious SYSTEM-context script and shell execution.
- Retain sufficient endpoint and management-platform logs to support SOC triage and incident response reconstruction.
Analyst notes and limits
This object is a detection analytic for Windows focused on SCCM, Intune, or remote push execution spawning scripts or binaries from SYSTEM context or unusual consoles. No tactics, related techniques, relationships, or detailed detection procedure were supplied, so the practical value is in validating local telemetry and baselining trusted management-tool behavior.
The official detection field is not provided and no relationship context is supplied. This take does not infer adversary use, active exploitation, specific ATT&CK tactics, or guaranteed detection coverage. Local deployment architecture, logging configuration, and approved administrative workflows are required to make this analytic operational.
Analytic 0623
Detects SCCM, Intune, or remote push execution spawning scripts or binaries from SYSTEM context or unusual consoles (e.g., cmtrace.exe launching PowerShell or cmd.exe).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0ae2790d7da… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0623Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.