Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Up is Down, Black is White: Using SCCM for Wrong and Right

Wird geladen in …3

Hier ansehen

1 von 52 Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)


Ähnlich wie Up is Down, Black is White: Using SCCM for Wrong and Right (20)

Aktuellste (20)


Up is Down, Black is White: Using SCCM for Wrong and Right

  1. 1. Up is Down, Black is White: Using SCCM for Wrong and Right Matt Nelson, Will Schroeder Veris Group’s Adaptive Threat Division
  2. 2. @enigma0x3 ❖ Penetration Tester and Red Teamer for the Adaptive Threat Division (ATD) of Veris Group ❖ Active developer on the PowerShell Empire project ❖ Offensive PowerShell advocate ❖ Sysadmin while in college ❖ Cons: Shmoocon (Firetalks), BSides DC
  3. 3. @harmj0y ❖ Security researcher and red teamer for the Adaptive Threat Division of Veris Group ❖ Co-founder and active developer of the Veil- Framework | PowerTools | Empire ❖ PowerSploit developer ❖ Microsoft CDM/PowerShell MVP ❖ Cons: Shmoocon, DEF CON, DerbyCon, various BSides (including BSides Boston!)
  4. 4. tl;dr ● Background ○ Red Teaming vs. Pentesting ○ Hunting vs. Incident Response ○ Basics of SCCM ○ SCCM in the enterprise ● Using and Abusing SCCM ○ SCCM as an attack platform ○ Introducing PowerSCCM ○ Using PowerSCCM for Evil ○ Using PowerSCCM for Good ○ Demo
  5. 5. Background Pentesting vs Red Teaming Hunting vs Incident Response
  6. 6. Pentesting ● Pentesting doesn’t have a universal definition ● Could be: ○ A single person running a (slightly) glorified vuln scan ○ A few testers for 1-2 weeks ○ A multi-week assault with a large team ● We view pentesting as focused on breadth- find as many holes as possible and see how far you can get in a limited timeframe with open source tools
  7. 7. Our View of Red Teaming ● We view a red team engagement as an opportunity to test an organization’s incident response capabilities ○ We don’t remove logs ○ Ideally, parts of the engagement are ‘caught’ and others aren’t ○ We want to find a client’s ‘noise’ threshold ● General idea: simulate a reasonably “advanced” generic attacker, not a specific adversary
  8. 8. Incident Response ● “Five alarm fire” concept ● Kicked off by: ○ Network monitoring alerts ○ Third party service notification ○ Public breach/disclosure ● Reactive, by the time you notice something went wrong it’s often too late
  9. 9. Hunting ● US Department of Defense concept ● The blue version of the “assume breach” mentality ● Detection, Investigation, Response ○ Deny, Degrade, Disrupt, Manipulate ● Much more proactive ○ Assume you’re owned, search for evidence of compromise
  10. 10. “Fundamentally, if somebody wants to get in, they're getting in...Accept that...What we tell clients is: Number one, you're in the fight, whether you thought you were or not. Number two, you're almost certainly penetrated.” Assume Breach Michael Hayden Former Director of CIA & NSA
  11. 11. SCCM Microsoft’s System Center Configuration Manager
  12. 12. What is SCCM? ● “System Center Configuration Manager” ○ Platform for distributing packages to clients ○ Packages, applications and install scripts are hosted on the SCCM server itself ● Setup and maintained via an agent/server architecture ● Essentially acts as internal RAT/C2 ○ Agents check in to server periodically to obtain new packages/applications
  13. 13. SCCM in the Enterprise ● One central site server with multiple distribution points ● Often setup/configured using a service account to run the application/push updates ● Application contents (*cough, cough install scripts and notes*) are hosted on a publicly available share ● Admins gonna admin
  14. 14. SQL vs. WMI for SCCM Management ● SCCM uses a combination of SQL and WMI to store lots of client information ○ Some of this can be viewed directly through the Configuration Manager interface, some can’t ● Bypassing the SCCM frontend and going straight for the backend can be tricky ○ Determining which method (SQL/WMI) to retrieve information or update information can also be a challenge as both have their advantages and disadvantages
  15. 15. SQL ● SCCM utilizes a ‘normal’ SQL Server 2012 backend ○ Great for information retrieval (useful for Hunt) ○ Finicky for data modification ( for Red Teaming) ● Using SQL for pulling information from SCCM requires in-depth knowledge of the backend database ○ SCCM pulls from multiple locations for one requested piece of information
  16. 16. SQL Schema
  17. 17. SQL Schema ● v_GS_SERVICE – currently installed services ● v_HS_SERVICE – historical information on installed services ● v_GS_AUTOSTART_SOFTWARE – information about programs in a few auto start locations (note that this is not as complete as something like Autoruns) ● v_GS_PROCESS – information on currently running processes ● v_HS_PROCESS – historical information on running processes ● v_GS_CCM_RECENTLY_USED_APPS – information on recently used applications ● v_GS_SYSTEM_DRIVER – details on drivers currently installed ● v_GS_SYSTEM_CONSOLE_USER – information on console usage, complete with user information ● v_GS_SoftwareFile – details on inventoried files (more on this in ‘Tuning SCCM for Defense’ below) ● v_GS_BROWSER_HELPER_OBJECT – information on installed browser helper objects ● vMDMUsersPrimaryMachines – details on primary user -> machine mappings
  18. 18. WMI ● SCCM’s WMI can be queried/updated using WMI Query Language (WQL) or PowerShell’s Get-WMIObject wrapper ○ Much easier for modification (instead of querying), so WMI tends to be better for red teaming ● WMI allows us to customize properties to fit SCCM’s requirements ○ For example, SCCM Applications require XML that defines the properties of the application (hidden, rights to run as, etc).
  19. 19. WMI Schema
  20. 20. Listing all Applications: WMI vs SQL ● WMI: ○ SELECT * FROM SMS_Application ● SQL:
  21. 21. PowerSCCM Our PowerShell SCCM Toolkit
  22. 22. ● Encountered SCCM multiple times throughout many engagements but often ignored it due to our unfamiliarity ● Not a lot of public information on abusing it for malicious purposes and the process to actually abuse it was often tedious and manual ○ David Kennedy and Dave DeSimone gave a nice presentation on using SCCM at Defcon 20 (Owning One to Rule Them All) Background/Motivations
  23. 23. Basic Usage ● Find-LocalSccmInfo: find the SCCM server/site code for a local machine ● New-SCCMSession: initiates a new session to the SCCM site server ○ Takes server name/site code/connection type ● Get-SccmSession: returns established sessions, pipeable to other functions ○ e.g. : Get-SccmSession | Get-SCCMApplication ● Remove-SccmSession: kill a SCCM session
  24. 24. Session Model
  25. 25. Session Model
  26. 26. SCCM as an Attack Platform Using Admins’ Tools Against Them
  27. 27. Hiding in Plain Sight ● SCCM traffic is completely normal in an enterprise network ● Admins and security staff have a harder time picking out malicious activity if it uses already existing technology. ● Instead of looking “like an adversary”, become a system administrator! ○ Utilize tools that exist and are expected in a target network
  28. 28. Attacking SCCM Without DA ● Contrary to popular belief, attacking SCCM does not require Domain Admin rights ○ all you need is local admin rights on the SCCM server! ● Most organizations try to practice the concept of least privilege ● If you can compromise a server administrator or SCCM admin, you can compromise SCCM, and every machine administered by SCCM
  29. 29. Targeting SCCM Admins ● PowerView’s Get-NetGroup function allows you to hunt for groups pertaining to SCCM ○ Get-NetGroup -GroupName *sccm* ● For domain users, some organizations separate out administrative functionality into multiple accounts for the same person ○ Group correlation can sometimes get a bit complicated ○ See Troopers 2016 “I Have the Power(View)”
  30. 30. SCCM for code execution ● SCCM clients constantly check the SCCM server for any new content deployed to them ● We can: ○ Host a binary payload on an accessible share ○ Create a malicious deployment package/application ○ Push the application out to a target machine collection ● And the code executes as SYSTEM!
  31. 31. Using PowerSCCM for ‘Evil’ Weaponizing Offensive SCCM
  32. 32. Offensive Cmdlets New-SccmCollection Create a SCCM collection to place target computers/users in for application deployment. Add-SccmDeviceToCollection Add a computer to a device collection for application deployment. Add-SccmUserToCollection Add a domain user to a user collection for application deployment. New-SccmApplication Creates a hidden application via WMI that can be deployed to any collection. This application will not show up in the Configuration Manager Console New-SccmApplicationDeployment Deploys an application to a specific collection. Invoke-SCCMDeviceCheckin Forces all members of a collection to immediately check for Machine policy updates and execute any new applications available. Find-LocalSCCMInfo Queries the local SMS_Authority Class to determine the Site Code and the Management Point
  33. 33. Hunting for Users ● PowerSCCM can ‘hunt’ for hosts that a user of interest last logged into: ○ Get-SCCMSession | Get-SCCMComputer | ?{$_. LastLogonUserName -eq "Matt"} ● You can also derive this information by observing the console usage logged by SCCM for each client: ○ Get-SCCMsession | Get-SccmConsoleUsage - SystemConsoleUserFilter "LABMatt" | Select-Object SystemName
  34. 34. Hunting for Users (cont.)
  35. 35. Grouping our Targets ● SCCM pushes content out only to specified user/device groups (known as “collections”) ● After identifying where our target users are logged in, we need to: ○ Group the targets into a device collection ○ Push out the malicious applications to the target collection ● Mass pwnage == bad , targeted/controlled pwnage == good
  36. 36. Grouping using PowerSCCM ● We can create the Device collection using the New-SccmCollection cmdlet: ○ Get-SCCMSession | New-SccmCollection - CollectionName “targets” -CollectionType “Device” ● With the collection created, we can add our target hosts into it by using the Add- SccmDeviceToCollection cmdlet: ○ Get-SCCMSession | Add-SccmDeviceToCollection - ComputerNameToAdd "CORPWKSTNX64" - CollectionName "targets"
  37. 37. Creating Malicious Applications ● PowerSCCM has heavily automated remotely creating malicious applications ○ This can be done entirely from a normal workstation (no RDP, etc.) by utilizing WMI ● SCCM stores a lot of the application info in the SMS_Application WMI class ○ We are able to create a new hidden application by populating the WMI class manually ○ Just set the ‘IsHidden’ field, yes it’s that easy
  38. 38. Creating Malicious Applications (cont.) ● This can be done using PowerSCCM’s New- SccmApplication cmdlet ○ Get-SccmSession | New-SccmApplication - ApplicationName "myApp" -PowerShellB64 "Y21kIC9jIGNhbGMuZXhlCg==" ● This will: ○ stuff our payload in a WMI class (Win32_Debug) on the SCCM server ○ open that class up to “everyone” ○ set the application to fetch the payload and execute it
  39. 39. Creating Malicious Applications (cont.)
  40. 40. Deploying Malicious Applications ● With targets grouped and applications created, deploying the application to the target group is the last step. ● PowerSCCM makes this simple to do via the New-SccmApplicationDeployment cmdlet:
  41. 41. Forcing Clients to Check-in ● After deploying the application, the client needs to check-in before it will execute it. ● We can force client to check-in outside of the normal interval with Invoke- SccmDeviceCheckin: ○ We invoke the “InitiateClientOperation” method in the SMS_ClientOperation WMI class on the SCCM Server
  42. 42. Using (Power)SCCM for ‘Good’ Why Not Use What’s Already Deployed?
  43. 43. SCCM As a Defensive Solution ● Since SCCM already acts as an inventory agent for machines it’s installed on, we can take advantage of a number of the information gathering compoments ● Previous (defensive) work: ○ “Using SCCM to violate best practices” by Brandon Helms ○ “Microsoft’s Accidental Enterprise DFIR Tool” by Keith Tyler ○ “SCCM (System Center Configuration Manager) and Incident Response” part 1 and part 2 on the Hexacorn blog ○ “Mining For Evil” by John McLeod and Mike Pilkington at the SANS 2013 DFIR Summit
  44. 44. Tuning SCCM For Defense (part 1) ● System Center Configuration Manager -> Administration -> ‘Client Settings’ -> client settings -> ‘Hardware Invetory’ -> Set Classes’ , ensure the following are enabled: ○ AutoStart Software – Asset Intelligence (SMS_AutoStartSoftware) ○ Browser Helper Object – Asset Intelligence (SMS_BrowserHelperObject) ○ Driver – VxD (Win32_DriverVXD) ○ Process (Win32_Process) ○ Recently Used Applications (CCM_RecentlyUsedApps) ○ Shares (Win32_Share) ○ System Console Usage – Asset Intelligence (SMS_SystemConsoleUsage) ○ System Console User – Asset Intelligence (SMS_SystemConsoleUser)
  45. 45. Tuning SCCM For Defense (Part 2) ● Ensure that under Settings -> ‘Software Metering’ is enabled and the schedule is what you want for your environment:
  46. 46. Tuning SCCM For Defense (Part 3) ● Under ‘Software Inventory’ set ‘Inventory these file types’ to all .exe’s on all hard disks:
  47. 47. Defensive Cmdlets Get-SccmService Information about the current set of running services on Sccm clients Get-SccmServiceHistory Information about the historical set of running services on Sccm clients Get-SccmAutoStart Information about programs registered in various autostart locations on Sccm clients Get-SccmProcess Information about the current set of running processes on Sccm clients Get-SccmProcessHistory Information about the historical set of running processes on Sccm clients Get-SccmRecentlyUsedApplication Information on recently launched applications on Sccm clients Get-SccmDriver Information on drivers installed on Sccm clients Get-SccmConsoleUsage Information on console usage on Sccm clients, complete with user information Get-SccmSoftwareFile Information on inventoried software files Get-SccmBrowserHelperObject Information on browser helper objects installed on Sccm clients
  48. 48. Defensive Cmdlets (Part 2) Find-SccmRenamedCMD Finds renamed cmd.exe executables using Get-SccmRecentlyUsedApplication and appropriate filters Find-SccmUnusualEXE Finds recently launched applications that don't end in *.exe using Get- SccmRecentlyUsedApplication and appropriate filters Find-SccmRareApplication Finds the rarest -Limit recently launched applications that don't end in *.exe using Get- SccmRecentlyUsedApplication and appropriate filters Find-SccmPostExploitation Finds recently launched applications commonly used in post-exploitation Find-SccmPostExploitationFile Finds indexed .exe's commonly used in post-exploitation Find-SccmMimikatz Finds launched mimikatz instances by searching the 'FileDescription' and 'CompanyName' fields of recently launched applications Find-SccmMimikatzFile Finds inventoried mimikatz.exe instances by searching the 'FileDescription' field of inventoried .exe's
  49. 49. SCCM and Splunk ● You can configure Splunk to automatically ingest from the SCCM SQL server under ‘Connections’: http://informationonsecurity.blogspot.com/2015/11/microsofts-accidental-enterprise-dfir.html
  50. 50. DEMOS
  51. 51. Questions? ● Get PowerSCCM: https://github. com/powershellmafia/PowerSCCM/ ● Read more: ○ Red: http://enigma0x3.net/2016/02/29/offensive- operations-with-powersccm/ ○ Blue: http://www.harmj0y.net/blog/defense/powersccm/ ● Contact us: ○ @enigma0x3 ○ @harmj0y ○ #psempire on Freenode