Deployment - SCCM
SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.
SCCM Application Deployment
- PowerShellMafia/PowerSCCM - PowerShell module to interact with SCCM deployments
-
Using SharpSCCM
- Compromise client, use locate to find management server
- Enumerate over WMI as an administrator of the Distribution Point
- Compromise management server, use locate to find primary server
- Use
inspect
on primary server to view who you can target -
Create a new device group for the machines you want to laterally move too
-
Add your targets into the new group
-
Create an application pointing to a malicious EXE on a world readable share :
SCCMContentLib$
-
Deploy the application to the target group
-
Force the target group to checkin for updates
-
Cleanup the application, deployment and group
SCCM Shares
Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
SCCM Configuration Manager
CRED-1 Retrieve credentials via PXE boot media
Requirements:
- On the SCCM Distribution Point:
HKLM\Software\Microsoft\SMS\DP\PxeInstalled
= 1 - On the SCCM Distribution Point:
HKLM\Software\Microsoft\SMS\DP\IsPxe
= 1 - PXE-enabled distribution point
Exploitation:
CRED-2 Request a policy containing credentials
Requirements:
- PKI certificates are not required for client authentication
- Domain accounts credential
Exploitation:
Create a machine or compromise an existing one, then request policies such as NAAConfig
CRED-3 Extract currently deployed credentials stored as DPAPI blobs
Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.
Requirements:
- Local administrator privileges on an SCCM client
Exploitation:
-
Find SCCM blob
-
Using GhostPack/SharpDPAPI
-
Using Mayyhem/SharpSCCM for SCCM retrieval and decryption
From a remote machine.
CRED-4 Extract legacy credentials stored as DPAPI blobs
Requirements:
- Local administrator privileges on an SCCM client
Exploitation:
-
Search the database using
SharpDPAPI
-
Search the database using
SharpSCCM
-
Check ACL for the CIM repository located at
C:\Windows\System32\wbem\Repository\OBJECTS.DATA
:
CRED-5 Extract the SC_UserAccount table from the site database
Requirements:
- Site database access
- Primary site server access
- Access to the private key used for encryption
Exploitation:
- gentilkiwi/mimikatz
- skahwah/SQLRecon, only if the site server and database are hosted on the same system
- SQLRecon + xpn/sccmdecryptpoc.cs
SCCM Persistence
- mandiant/CcmPwn - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.
CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine.
-
Backdoor the
SCNotification.exe.config
to load your DLL -
Malicious config to force
SCNotification.exe
to load a file from an attacker-controlled file share
References
- Network Access Accounts are evil… - ROGER ZANDER - 13 SEP 2015
- The Phantom Credentials of SCCM: Why the NAA Won’t Die - Duane Michael - Jun 28
- Introducing MalSCCM - Phil Keeble -May 4, 2022
- Exploiting RBCD Using a Normal User Account - tiraniddo.dev - Friday, 13 May 2022
- Exploring SCCM by Unobfuscating Network Access Accounts - @xpn - Posted on 2022-07-09
- Relaying NTLM Authentication from SCCM Clients - Chris Thompson - Jun 30, 2022
- Misconfiguration Manager: Overlooked and Overprivileged - Duane Michael - Mar 5, 2024
- SeeSeeYouExec: Windows Session Hijacking via CcmExec - Andrew Oliveau
- SCCM / MECM LAB - Part 0x0 - mayfly - Mar 23, 2024
- SCCM / MECM LAB - Part 0x1 - Recon and PXE - mayfly - Mar 28, 2024
- SCCM / MECM LAB - Part 0x2 - Low user - mayfly - Mar 28, 2024
- SCCM / MECM LAB - Part 0x3 - Admin User - mayfly - Apr 3, 2024