Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft's Endpoint Management Software

Presented at DEF CON 30 (2022), Aug. 12, 2022, 6 p.m. (45 minutes)

System Center Configuration Manager, now Microsoft Endpoint Configuration Manager (MECM), is a software management product that has been widely adopted by large organizations to deploy, update, and manage software; it is commonly responsible for the deployment and management of the majority of server and workstation machines in enterprise Windows environments.

This talk will provide an outline of how MECM is used to deploy machines into enterprise environments (typically through network booting, although it supports various Operating System deployment techniques), and will explore attacks that allow Active Directory credentials to be extracted from this process. The common MECM misconfigurations leading to these attacks will be detailed and, in so doing, the talk will aim to show how to identify and exploit these misconfigurations and how to defend against these attacks. Each viable attack will be discussed in depth (mostly by discussing the protocols and architecture in use, but sometimes by diving into relevant code, if necessary) so that the context of how and why the attack works will be understood. These concepts will be illustrated through the demo and release of a tool that allows for the extraction of credentials from several of the onsite deployment techniques that MECM supports.

Presenters:

• Christopher Panayi - Chief Research Officer, MWR CyberSec
  Christopher is the Chief Research Officer at MWR CyberSec (https://mwrcybersec.com), having previously led cyber-defense, red team, and targeted attack simulation (TAS) engagements for several years, as well as having designed and help run the in-house training programme for security consultants at MWR. As part of this work, a major focus area for him had been understanding attack techniques impacting Active Directory (AD); this led to publications such as: a discussion of practical ways to perform pass-the-hash attacks (https://labs.f-secure.com/blog/pth-attacks-against-ntlm-authenticated-web-applications/) and a discussion of the previous gold standard in AD security, the red forest, and why it did not meet its goal of making environments more secure in many cases (https://www.f-secure.com/content/dam/press/ja/media-library/reports/F-Secure%20Whitepaper%20-%20Tending%20To%20the%20Red%20Forest%20(English).pdf). His interest in how things work at a deep technical level - and desire to develop an understanding of how to use this information to compromise and secure systems and environments - has led him to his current focus, investigating and understanding Microsoft Endpoint Configuration Manager, how it interacts with AD, and how to abuse its configuration to attack enterprise environments.

Links:

• https://forum.defcon.org/node/241925
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Christopher Panayi - Pulling Passwords out of Configuration Manager - Practical Attacks against MS Endpoint Management Software.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Christopher Panayi - Pulling Passwords out of Configuration Manager.srt (subtitles)

Similar Presentations:

• REcon 2023 / Press Play to Restart: Under the Hood of the Windows Restart Manager
• Wild West Hackin' Fest 2017 / 0wning the network with CrackMapExec v4.0
• AppSec USA 2015 / Security as Code: A New Frontier