AD-SCCM-NAACredential Access

SCCM Network Access Account Disclosure

Recover NAA credentials from the WMI policy class or client logs — often privileged.

§ Where this technique fits

AD-SCCM-NAA is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

SCCM Network Access Account disclosure → privileged creds
Any authenticated user on a SCCM-managed endpoint can recover the Network Access Account credentials from WMI / client cache — and the NAA is usually over-privileged.
step 3 / 5

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SCCM Network Access Account disclosure → privileged creds

§ What commonly comes next